Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Flip-Flops On URI Protocol Handing Flaw

Posted by kdawson on from the so-it's-a-bug dept.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

5 of 126 comments (clear)

  1. Good. by Futurepower(R) · · Score: 5, Insightful

    Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

    1. Re:Good. by MadMidnightBomber · · Score: 5, Interesting

      Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

      Be afraid. Be very afraid.

      [1] OB /. - or possibly to goatse

      --
      "It doesn't cost enough, and it makes too much sense."
  2. The Point: They're Still Missing It. by Tackhead · · Score: 5, Insightful
    From TFA:
    > For traditionally "safe" protocols like mailto: or http:

    And that's where my co-workers heard the cry of "You dumb motherfuckers".

    It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

    While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

    If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

  3. Pay attention by Anonymous Coward · · Score: 5, Informative

    You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.

    1. Re:Pay attention by Alwin+Henseler · · Score: 5, Interesting

      There were two flaws: One in Firefox, one in ShellExecute. Excellent point.

      Microsoft cannot and did not fix the flaw in Firefox (..) Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

      Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)