Unofficial Patch For Windows URI Hole

dg2fer writes "For more than two months, the vulnerability of parsing URIs has been known for a number of Windows programs, including Outlook, Adobe Reader, IRC clients, and many more. Microsoft admitted the vulnerability only last week. The latest Microsoft patches published on October's Patch Tuesday did not include a solution, so hackers have taken on the problem themselves. One, KJK::Hyperion, has published (as open source) an unofficial patch that cleans up the critical parameters of URI system calls before calling the vulnerable Windows system function."

What is Microsoft's reason for silence?

[jkrise]

They have admitted belatedly that IE7 on XP is broken; and that it is a very serious threat to security. So what prevents them from releasing a patch right away?

Is this vulnerability used / proposed to be used to make non-genuine Windows XP machines running IE7 unusable? Remember the unapproved, illegal stealth update that broke patching after a 'system restore'? Microsoft's continued silence is very intriguing.

Re:What is Microsoft's reason for silence?

[dattaway]

So what prevents them from releasing a patch right away?

Millions of dollars in research takes time.

Re:What is Microsoft's reason for silence?

[jkrise]

Millions of dollars in research takes time.

But the problem is peculiar to IE7 and XP, NOT IE7 under Vista. This means that the billion dollar research has actually been completed, and that Vista includes the protection mechanism. Since IE7 was released after XP, it clearly indicates that this flaw has been on purpose; with some possible ulterior motive.

Already, trust has been lost with the stealth update of XP; now with IE7 being forced as a Critical Patch despite the broken security model; the mistrust is complete.

What Microsoft considers to be a critical patch is actually a cripppling security hazard! How ironic!!

Re:What is Microsoft's reason for silence?

[CCFreak2K]

My wild guess is that they're testing the patch. Remember that it's going to be deployed to many thousands, tens of thousands, however many systems, so they gotta make sure it works. Otherwise, there'll be a lot hosed boxes.

Of course, that could indeed not be the case at all...

Re:What is Microsoft's reason for silence?

So what prevents them from releasing a patch right away?

The but isn't related to DRM.

Quick, someone find a way to utilize this bug to break some innane DRM scheme.

Re:What is Microsoft's reason for silence?

[BitZtream]

Just because you can tell it effects one OS and not the other doesn't mean they know why or even intentionally fixed it in the new OS.

The function with the problem is now considered part of the core OS in XP and not really part of IE anymore, even though IE updates often included updates to it, its more port of a common set of Internet related libraries which many applications use.

Because MANY applications use this library, making changes to it without evaluating what will happen to the many applications that use it could result in a lot of broken applications. Microsoft doesn't want to piss off a bunch of users by fixing a security flaw that will effectively break a lot of stupid apps that were also not written properly. As the open source patch page says, apps will break with they way it is done, so MS will take some more time and try to fix the problem in a way that doesn't bork everybody.

This is in contrast to the way the open source community would typically handle a problem such as this. Someone would patch the offending library, and any app that broke along the way (which is also likely to be open source since the user is already using open source applications/OSes) can also be patched as needed. The original authors typically would spend less time worrying about backwards compatibility issues and just break those apps in favor of security.

When you are dealing with an arena where most of the users A) use closed source apps B) don't watch for updates to their applications, let alone install them as soon as they come out. C) generally don't care about such issues until it effects them, D) get rather pissed off when a subtle change applied in an automatic update they automatically installed breaks applications when they see no relationship with. Then it makes sense to take your time and fix the problem and maintain as much backwards compatibility as possible, so users don't experience issues. I wish more open source developers would learn this. Any project with some age to it generally understands it, but plenty of new/small OSS libraries have no concept of backwards compatibility and/or the fact that fixing bugs should not break compatibility if there is any possible way to avoid it.

Its ignorant to think the core libraries which contain the ShellExecute function are the same in Vista and XP for so many reasons its not even funny. They are rather tightly linked into many parts of the OS, the main one that comes to mind is the registry. The simple fact that registry permissions are a lot different in Vista compared to XP probably resulted in a major refactoring of the function. If you understood how the function actually achieved its goals in the first place, you'd understand that its likely to have changed drastically in Vista and as such problem doesn't actually fix the problem directly, but as a side effect of other changes. Or, it could just be that the problem is different in Vista in such a way that it manifests itself differently.

I have no love for many of the things MS with Windows for a multitude of reasons. However, you're logic for bashing them here is ignorant at best. You have no concept of large scale software development or you would probably understand how this could show up in major OS revision and not in the next, and no understanding of where the function belongs in the system as a whole.

As a final thought though, by this point in time, the should have come up with a way to fix it with as little pain as possible, or admit defeat and break the apps that don't handle URLS properly anyway.

Re:What is Microsoft's reason for silence?

Since IE7 was released after XP, it clearly indicates that this flaw has been on purpose; with some possible ulterior motive. Or perhaps some stupid backwards compatibility reason that hasn't been worked around yet?

Do not immediately attribute to malice that which can be easily attributed to stupidity.

Re:What is Microsoft's reason for silence?

[faloi]

Don't give Microsoft so much credit. It's possible that they got lucky, essentially, in having Vista not be affected because of any number of changes made in the core of the OS. I don't trust Microsoft, and I also don't think they're crafty enough to come up with this as part of a master plan. Coming up with it through stupidity and lack of planning and communication across groups internally, I'd believe.

Re:What is Microsoft's reason for silence?

[Paradigm_Complex]

Are you serious proposing IE6 is/was more secure than IE7? MS lost my trust long, long before the stealth update issue, but having IE7 as a "critical" patch doesn't really seem to be that bad of an idea. Now, leaving such a hole in it for so long fits the MS MO that lost my trust in the first place.

Re:What is Microsoft's reason for silence?

[NatasRevol]

Microsoft doesn't want to piss off a bunch of users by fixing a security flaw that will effectively break a lot of stupid apps that were also not written properly. I don't know why, but that cracks me up. Not arguing with you at all, but it is funny that MS cares more about the apps than security. And it explains a lot of their issues.

Re:What is Microsoft's reason for silence?

[xlsior]

Since IE7 was released after XP, it clearly indicates that this flaw has been on purpose; with some possible ulterior motive.

Never ascribe to malice, that which can be explained by incompetence.

Since the sytem core is different on XP vs. Vista, it's quite likely that there are differences in how IE7 interacts with XP than it does with Vista. It's not impossible that a genuine bug only affects the XP interaction but not Vista.

Re:What is Microsoft's reason for silence?

[rbochan]

"Not arguing with you at all, but it is funny that MS cares more about the app^H^H^H marketing than security. And it explains a lot of their issues." There. Fixed that for you.

Re:What is Microsoft's reason for silence?

[mr_mischief]

To Microsoft, apps are marketing. People know Windows isn't that great. Even most people with little clue that there are alternatives know that Windows sucks. What they don't know is how to do the things on other systems they can do on Windows. The apps are different. They're sometimes harder to install (but sometimes, IMO, easier) on some of the alternatives. Sometimes you can't find a suitable alternative at all. There are training issues and issues with re-acquiring things already bought. There's data transfer problems with incompatible file types, undocumented file formats, and insufficient export from the Windows apps and insufficient import on the OS X, Solaris, or Linux apps. There's not a cardboard-box market for most non-Windows applications.

Quite simply, when Steve Ballmer yells, "Developers, developers, developers!", it's because that's Microsoft's ticket to keeping its huge installed base. If you get the application developers in a company won over to your OS exclusively, the applications from that company will be written for your OS exclusively. When people find enough of those applications that are Windows-only difficult to cut loose, how in the world are they going to cut Windows loose?

There are great applications for OS X, Linux, and Solaris. Likewise for the BSDs, MorphOS, Amiga OS3, Plan9, AIX, OS/2, and more. The application stacks for all these systems are strong and deep. What they're not is broad. Final Cut Pro rocks. Apache is wonderful. Ardour is great. Blender and Lightwave are really nice. There are some killer games on Linux and OS X. There's just not much. There's great stuff, but there's just not enough of it to compare to what you can get for Windows. If you're running servers or doing narrowly defined work, that's great. If it's for a hobby or for a second or third computer, that's great. If, however, you need the broadest possible access to strange, non-portable or unported, shrink-wrapped random crap, at least one desktop needs to be Windows. That situation may change, and I hope it will. That's just the truth right now, though.

Re:What is Microsoft's reason for silence?

[TT077141]

vista is good, because it encourage us to use an original software rather than using a pirated copy. It will prevent us from attacked by malicious program. Security is much more better than Microsoft XP. Good job!

Re:What is Microsoft's reason for silence?

[zairi5811]

MS cares more about apps than security because they only thinks about how to fight against software piracy..

Re:What is Microsoft's reason for silence?

[rk075906]

Microsoft need someone else to clean their fault on their software but they still want us to pay for their software. Sometimes I don't understand why my university make collaboration with Microsoft if they have so many security issues

Re:What is Microsoft's reason for silence?

[rk075906]

http://www.frsirt.com/english/advisories/2007/3182. More and latest vulnerabilities about microsoft

Re:What is Microsoft's reason for silence?

[rk075906]

it's a karma, when you doing something for profit and not for good deeds, you'll face problem.

Re:What is Microsoft's reason for silence?

[rk075906]

Never trust an operating system you don't have sources for.

Re:What is Microsoft's reason for silence?

[nor_fariza]

Now i know why IE7 intermittently crashes my XP.Darn it.
I'm not sure how many time patches after patches to make this work. And previously, a security patch for pdf files which also link to IE7, and now this.They should just say IE7 is only for Vista, and MS build it through Vista's development.MS should be more transparent in admitting their problem rather than just releasing patches after patches which is rather tiring I must say.

Since the sytem core is different on XP vs. Vista, it's quite likely that there are differences in how IE7 interacts with XP than it does with Vista. It's not impossible that a genuine bug only affects the XP interaction but not Vista.
I have to agree with this.How can the same browser interact with a different Windows core?

I'll stick with Firefox anyway.

Re:What is Microsoft's reason for silence?

[aman534]

Microsft will facing a problem of losing their user if they keep on silence about this issues... they should respect and care about users who keep on supporting them...It looks like they have to fix the problem before things become worse...

Re:What is Microsoft's reason for silence?

[HalAtWork]

They could care about both if they released documentation for all API calls so that developers would know what type of behaviour to expect from certain calls. They don't, so developers program according to the behaviour they see, and they have no way of knowing if it doesn't work properly. If MS would release documentation, then they could fix it and the only stupid apps would be ones where developers did not look at the documentation at all.

Re:What is Microsoft's reason for silence?

[BitZtream]

This particular item is documented in the Platform SDK. Documentation has bugs as well. In this case, the documentation is fine, the implementation is bad. MANY developers who write software simply don't know jack shit about security issues, no amount of documentation in the world is going to fix the guy/girl who wants to get their app out the door tonight, and can't be bothered to read the 'Security Note:' section attached to the documentation or in this cause, read the information related to how the function works at a lower level.

MS has a bug in the function, imho, it should have ALWAYS normalized URLs in a standard way that prevented any sort of commandline escaping. Had they done that properly from the start, this would not be an issue. But, the problem here isn't lack of documentation, its purely bad implementation.

For the most part, windows is fairly well documented for the main public stuff that pretty much everyone uses. When you start trying to do more integrated things is where it starts to get sparse, this simply isn't one of those places though.

Re:Well...

[gQuigs]

Yup. http://www.reactos.org/en/index.html

I don't understand the logic

[BadAnalogyGuy]

I understand patching holes in Linux. There's no one out there who is going to hold you responsible if you release the patch for free and say install at your own risk. However, if you put out a patch for a closed source system, you run the risk of not only breaking some unexpected functionality, but also make your users susceptible to having their systems determined to be WGA-noncompliant. You run the risk of essentially breaking peoples' computers for what?

Yes, the risk is real and it sucks. But it's not your responsibility to fix Microsoft's holes. Once you do take on that responsibility, are you also willing to face the consequences when your users blame you for their license revocation?

Sure it won't happen this time, and maybe you'll dodge the bullet a few more times, but when the day comes that you've crossed over the line too far, will having fixed Microsoft's problems really been all that great?

Re:I don't understand the logic

It is easy to understand the logic. It is to pressure MS to take security holes more seriously than to wait couple months to give enough attention.

Also, may be MS has no idea how to approach fixing this hole and for someone else to give them a hint is much helpful to them to get started.

MS needs to understand that there are customers who take security very seriously.

Sheesh, is this so hard to understand?

Re:I don't understand the logic

[spleen_blender]

rtfa Now, a hacker with the pseudonym KJK::Hyperion has published a provisional and, needless to say, highly unofficial patch that tries to clean up the call parameters in the handling of the vulnerable Windows function ShellExecute(). But as the developer himself warns, "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever..."

Re:I don't understand the logic

He isn't forcing anyone to install the patch, buddy.
Users can make up their own mind. If they're too dumb to understand the risks of installing this, then they can just fuck off.

Re:I don't understand the logic

[jkrise]

But it's not your responsibility to fix Microsoft's holes. Once you do take on that responsibility, are you also willing to face the consequences when your users blame you for their license revocation?

Fixing Microsoft-created holes is the basic reason why anti-virus firms exist; and why they do such roaring business; and also why they are trusted MORE than Microsoft, which makes the underlying crappy OS.

What is the worst that can happen when WGA fails? If the user gets no further updates from Microsoft... no problem; the anti-virus bloke is so much more clean and reliable.

Re:I don't understand the logic

[pembo13]

I don't understand the logic either. It's not like Microsoft fixes these things out of the goodness of their own hearts. They are responsible for it as far as I understand.

Re:I don't understand the logic

[plague3106]

Ya, its too bad that when MS does want to fix a big problem that the same AV people bitch and complain that it would "kill" thier market, so MS is forced to leave holes in there. I can see why you trust them.. wait, I can't.

Considering that AV software sucks so bad I believe it was causing blue screens in Vista, or when it is working "properly" it slows down the computer noticably. Norton and McAfee are both steaming piles..

Re:I don't understand the logic

[_14k4]

What is keeping the person releasing this patch from saying the same thing patches on Linux say? "Use at your own risk." Honestly, I think the real concern here is trust. You may not trust Microsoft, but will you trust a 3rd party changing an integral part of an already-leaky OS?

Re:I don't understand the logic

[cHiphead]

Thats a common misconception, the 'killing' of the AV market was done on purpose b/c MS say another place they could 'leverage' their "IP". You can't trust anyone, most of all MS.

SAV/eTrust/McAffee/etc. with their real time scanners essentially use fancy hacks to work. Microsoft's decision to shut them out in Vista essentially forced them to find another hack for it, just like the virus writers will eventually do themselves. Its cat and mouse. Locking out security companies with the economic scale to put money into security research is a great way to assure that your OS goes down in flames.

Cheers.

Re:I don't understand the logic

[BitZtream]

This is such an ignorant statement on so many levels.

First off, this message problems sounds insulting to non-MS based OSes, its not meant to be, I prefer FreeBSD and OSX myself.

Don't confuse your 's lack of a massive user base with the reason Windows is the target of so many viruses.

Regardless of what you think about your OS (whatever you may use) it is STILL capable of getting infected by a virus. Traditionally, Windows users (due to lack of intelligent design by MS) typically run everything at elevated privilege levels which means a virus effects more of the system.

But, if you think for one second that running as a normal user on linux/freebsd/osx/beos/SomeOtherObscureOsNoOneCaresAbout prevents you from becoming part of the Storm botnet, you're completely ignorant of how viruses work.

A virus can effect a single user account and still do plenty of damage. Your user can still run background tasks without you noticing that result in botnets, damage to your personal files, spreading to other systems when you carry data from one to another.

Windows is the target of viruses because its generally easy to write a block of code that will work on pretty much every version of windows in use at any point in time. The ratio of windows machines to every other machine on the planet is extremely high, the virus authors are targeting the largest market which requires the least amount of effort. Windows also has FAR FAR more users who:
A) don't care if they get infected if they don't notice
B) aren't savvy enough to realize they are infected

Alternative OS people (excluding the OS X crowd, which for the most part is much like the windows crowd) generally know more about what they are doing or are learning about the OS so they are paying more attention, which means they typically will notice problems quicker on their own.

The stupid idea of logging into Windows as an administrative user makes it easier for root kits and the like, but its hardly the reason its the target of so many viruses. And in case you haven't noticed, EVERY OS has security issues which allows privilege escalation, no code is bug free. Again, while MS isn't the best at security, they are ALSO the target of more people who want to find bugs/exploits as THOSE BUGS CAN BE USED AGAINST MORE MACHINES.

Which is likely to make you more money? Targeting the 80% of the people in the world who might by your product and only make one product, or target the 20% of the world the might buy your product, and have to make 4 different versions of it to support those 20%? Virus authors think the same way, as do the anti-virus companies.

Its all well and good if you want to bash MS, I'll jump on the train with you, but don't be so fucking ignorant about it.

Re:I don't understand the logic

[KJKHyperion]

It's a memory-only patch, and it hooks the vulnerable function using a standard, documented method (that was made obsolescent in Vista, but Vista isn't vulnerable in the first place). Apart from the horrible bugs that are entirely my own damn fault, nobody will care or know that my patch is installed on a system (unless they go look for it). It doesn't even address the vulnerability directly, it just prevents the vulnerable function from ever seeing an abnormal URL. Basically, I did it because I could, and because I wanted to: I knew how to hook in ShellExecuteEx, but I needed some hands-on experience with it

Aside: I'm not even 100% sure of where the vulnerability is, yet, but I think the single bad choice that breaks the camel's back is an error handling function believing an error of "invalid argument" (returned by Internet Explorer 7 for malformed URLs) is not a critical error, allowing the URL to be misidentified as a non-normalized file path. The bug has been sleeping there since, I think, Internet Explorer 6, but it wasn't until Internet Explorer 7 that URL handling for execution purposes was moved from shdocvw.dll (and, I presume, the ParseURL routine, which is very liberal and only really serves to carve the scheme out of an URL) to ieframe.dll (and either the InternetCrackUrl or CoInternetParseUrl routine, which are a lot more finicky about URL syntax)

Lastly: for developers, I have made a little snippet of code that demonstrates how to safely and unambiguously execute an URL with ShellExecute(Ex) without risking its interpretation as something else (yes, it would have prevented this mess), and documents a few other subtleties. For now it's just another post on Full Disclosure, I will give it a better home one day. I wish Mozilla used something like this instead of the messy code they have now

Re:I don't understand the logic

[Yvanhoe]

And that has always been a great incentive for them to fix bugs in the past

Re:I don't understand the logic

[squallbsr]

I don't understand how this 'patch' would cause WGA to fail, as this is just a hook into the system that cleans up a call to ShellExecute(). It isn't like a patch to an existing DLL or something that would cause checksums to fail on your system.

Anyway, I'm glad to see that somebody tried to do something because of Microsoft's inaction. There are people out there that are forced to use Windows and this patch could definitely help hold them over until Microsoft gets their crap together. This patch just registers a DLL and a hook into the system, easily installed and easily removed (assuming it doesn't actually bork your system).

Anyway, Microsoft would be stupid to fail WGA on people if anything is hooked into the system (think of Antivirus scanners, sysinternals tools (which were only recently acquired/purchased my MS), and other system utilities and hooks)

Re:I don't understand the logic

[plague3106]

So the common misperception is that you take what MS says and immediately think of some other idea that fits your agenda? Is that basically what you're saying?

Maybe you need to read the articles again, because the AV people didn't find another way to 'hack' around anything in Vista, MS changed Vista so that they could continue to operate as normal.

Re:I don't understand the logic

[BadAnalogyGuy]

I can appreciate the work and effort you put into creating this patch, and I don't discount either your goodwill in creating it or your "thrill of the hack".

How far would you be willing to go to fix an MS hole? Would you stop at the API level? Make calls to undocumented library functions? Replace a faulty DLL?

Re:I don't understand the logic

Basically the user would have to be an utter idiot to install this "patch" (hacked up crap).

Re:I don't understand the logic

[cHiphead]

Pardon me for not being more verbose and in a hurry, they were in the process and had working but unstable versions testing in Vista before MS made the changes you refer too. Doesn't change the overall substance of my response.

Re:I don't understand the logic

[baadger]

> For now it's just another post on Full Disclosure [seclists.org], I will give it a better home one day.
> I wish Mozilla used something like this instead of the messy code they have now

Where is the Mozilla code in question? Maybe someone can file a bug and/or patch?

Re:I don't understand the logic

[waveclaw]

I understand patching holes in Linux. There's no one out there who is going to hold you responsible if you release the patch for free and say install at your own risk.

At a seminar recently the speaker summed up proprietary software with a simple quote:

"Hardware comes with a warranty. Software comes with a disclaimer."

However, if you put out a patch for a closed source system, you run the risk of not only breaking some unexpected functionality, but also make your users susceptible to having their systems determined to be WGA-noncompliant. You run the risk of essentially breaking peoples' computers

API stability is why some developers test for compatibility on minor version numbers while warning you about changes that require bumping major version numbers. Since you backed up your system, testing the patch and rolling back should be not a problem. Right?

Sure it won't happen this time, and maybe you'll dodge the bullet a few more times, but when the day comes that you've crossed over the line too far, will having fixed Microsoft's problems really been all that great?

The PC is not a box of pixie dust and rainbow magic. The software works, or in Microsoft's case doesn't work, for a reason. Experience in PC video gaming says no-CD cracks for broken DRM and OS-version-detection fixes can be downloaded with ease. Sometimes developed long after the original developer went bankrupt on Version X.0. In some cases people are paid good overtime to make these 3rd party patches not work. Yet J. Random Hacker still manages to pull through, thwarting attempts to make your $75 purchase a nice coaster companion for the paper box it came in. In short, it's not roses and green grass on either side of the fence.

Re:I don't understand the logic

[plague3106]

It does change things a bit, but perhaps they way they would have been forced to work would have allowed Vista to be more secure, but still allow AV to function. If they really work working on a solution, why the outcry about the changes in Vista?

Re:I don't understand the logic

If you put your code out there first with a copyright, MS may have to license your code if their official patch is too similar, or even if parts of the two patches are too similar.

At any rate, you can subpoena the MS code, effectively exposing it to public scrutiny. So, patch by patch, you force MS's hand.

Re:I don't understand the logic

[memodude]

Also, don't forget that the Vista feature everybody loves to bitch about, UAC, is the one that causes normal apps to run with ordinary non-admin privileges.

Re:I don't understand the logic

[drsmithy]

Fixing Microsoft-created holes is the basic reason why anti-virus firms exist; and why they do such roaring business; and also why they are trusted MORE than Microsoft, which makes the underlying crappy OS.

Anti-virus programs don't "fix holes" in the OS, they fix holes in the *user*.

Re:I don't understand the logic

[drsmithy]

"Hardware comes with a warranty. Software comes with a disclaimer."

This does not change the fact that there are very real and tangible consequences for a fix to proprietry software that causes extensive breakage (lost customers and, more importantly, revenue), whereas the consequences for the same in the cowboy-esque OSS world have little impact outside the developer's ego.

Your software might not come with a warranty, but if enough people stop paying for it, rest assured that the vendor will take notice and act to try and recover those customers and revenue. If I stop using $J_RANDOM_HACKER's bit of open source code - almost always distributed with the attitude of "it's free, you get what you pay for, if there's a problem fix it yourself" - why is he going to care ?

Re:I don't understand the logic

[TT077141]

nowadays, its very difficult to find very effective anti-virus. which one would you say, best anti-virus? our programs are easily attacked by malicious program. Unless Microsoft help us to create a new anti-virus which is suit to its application.

Re:Well...

[Xtravar]

I would mod this up, but I think I should explain why it's not off-topic instead.
The guy who wrote this patch actually works on ReactOS. http://www.reactos.org/wiki/index.php/KJK::Hyperion

I knew I remembered the name from somewhere.

It's a philosophical bug nonetheless..

[zukinux]

If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs? I'd say, both.

Re:It's a philosophical bug nonetheless..

[hesaigo999ca]

I'm sorry to say, it's all MS's fault. There is no qualms about this one, set out a patch to disable your system restore, then set up an app IE7 that is broken on the old system, too many
coincidences for me, I have the latest patch for microsoft, although you need to do some install, here is the link at http://www.ubuntu_save_me_from_ms.com/ ....unfortunately I develop for windows platform, and use .NET extensively, but I am tired of seeing MS get away with these tactics...
whenever I can I try to push companies to go linux, and set up the rest of the servers tey cant migrate on VMWare...as for me at home.....Linux....not cuz I love them, only cuz they do what they say.

Re:It's a philosophical bug nonetheless..

[TT077141]

i'll say Program B is in fault because Program B suppose to do its work by preventing malicious program from attacking which has been allowed by Program A.

Re:It's a philosophical bug nonetheless..

[zukinux]

Then you think it's Firefox's bug?
I'm still not sure.

WHY?

[MBHkewl]

Why should ANYONE release a patch for Microsoft (regardless of their application)?
You ARE a paying user, and you SHOULD get the "quality" service you deserve. Isn't why the OS costs money?

I applaud those who have taken action & even more released the code as open source; it only shows the good hearts of the open source community, but as others mentioned, you may break something, in this very unstable OS, and you'll be the ones to blame, rather being thanked for saving the users' money, identity & privacy.

Re:WHY?

It could be argued that anyone willing to PAY to use Windows is already getting what they deserve.

Re:WHY?

[zairi5811]

maybe one day microsoft should use the term "best effort" to represent their service for customers

Re:WHY?

[KJKHyperion]

I hear that all too often. Personally, I think sense of entitlement has already done enough damage to IT security: there is this whole cottage industry of blackmailing services thriving on it, and despite it paying part of my rent, it only feels right and just to sabotage it.

I would have made the patch for myself anyway (it wouldn't have been the first), releasing it as open source was just the icing. I didn't do it for any particular reason other than the obvious: I want to be protected, and I can protect myself

Re:WHY?

[it072312]

i think he should be paid....come on bill you can afford it

Re:WHY?

[aman534]

well, it's a good idea if someone can release a patch for Microsoft BUT it looks like this idea won't works at all because Microsoft do not belong to the open source community... :(

Re:WHY?

[aman534]

It's a good idea if someone can release a patch for Microsoft (regardless of their application). However, it looks like this idea won't work because Microsoft does not belong to the Open source community :( Besides, I keep on wondering why Microsoft cares more about the application than security.... Just hope that they can solve this problem one day...

Hole in the Patch for the Windows URI Hole

[dg2fer]

The author of the Patch for the Windows URI Hole, KJK::Hyperion, found a big bug in his patch for the Windows URI hole. "I just found a gruesome memory leak in it. A silly bug, brown paperbag-grade shame."

According to the article on heise security he did already publish a bugfix version of his patch -- hoping the best it's not buggy again.

Re:Hole in the Patch for the Windows URI Hole

[Frosty+Piss]

Hahhaaaha ha ha... Should you really be trusting patches from "unknown" sources? Come on!

Re:Hole in the Patch for the Windows URI Hole

When the patch includes source, why not? Just check the source a bit and recompile (ignore the prebuilt binary) :)

Re:Hole in the Patch for the Windows URI Hole

[Frosty+Piss]

When the patch includes source, why not? Just check the source a bit and recompile (ignore the prebuilt binary) :)

Why yes, of course. We're all Windows source code experts! Hell, why bother with someone elses patch at all? Do it the GNU / Open Source way, just write it ourselves!

Re:Open source, FTW!

[oyenstikker]

Ooh, the Storm-infected one has that blinking red HDD light. Pretty!

Re:kwl

[Paradigm_Complex]

So long as their primary goal is cash-monies and they still hold their status as a monopoly, it's within their best interest to retain their closed model and let the people forced to stick with them bite the bullet. If they cared about their customers, well, yeah open source is the way to go.

Fingers in my ears

[Mikey-San]

I really don't want to hear about anyone's URI hole. Ew.

Re:Fingers in my ears

[Eliman]

The best way I can come up with for reading the subject line is "Unofficial patch for ur eye hole" which to me sounds like Microsoft is trying to make pirates out of the lot of us.

Recurse

[piotrr]

I find it hilarious that the unofficial fix linked has been updated to version 1.1 to fix a memory leak.

Re:Recurse

Wait for version 1.2 - it will fix the buffer overflow vulnerability that 1.1 introduced.

Re:Recurse

[Cro+Magnon]

Well, at least the patch is getting fixed quicker than the hole.

Appropriate subject line

[Cctoide]

But you put your fingers in your ears! Ew!

Microsoft may have a bad track record

[kasperd]

But unofficial patches for closed source software have a worse track record. I recall some other case where IE had a tiny little information leak. Somebody then released a "patch" for that, which not only was an ugly hack, but at the same time introduced a buffer overflow which was a lot worse than the original bug. The "patch" came with source, but AFAIR the license did not permit you to fix the bug in the "patch".

Introducing a much worse security hole when fixing a minor security hole is the kind of thing that can happen when you write code without getting it reviewed. Any decent code review would have caught that bug. And that is not the real reason third party "patches" for closed source software is a bad idea.

The correct way to fix a bug in any piece of software is to take the source, fix the bug, and recompile. No third party can do that for a closed source product, which is why that approach is never going to be good for the users.

Espionage rental income

[SpaceLifeForm]

It will be fixed next patch tuesday.
Until then, those that rented the hole will get
what they paid for.

It's all about the benjamins.

[typicallyterrific]

Microsoft isn't in the business of selling security, it's in the business of selling a platform you can run your apps on (and, well, office too).

They'd be incredibly silly if they didn't bend over backwards to make sure no apps get broken 'cos of these patches. If your mission-critical XYZ app suddenly stops working, you have every right to be pissed off!

(whereas mission-critical XYZ could also be called "that photo sharing app grandma learned how to use five years ago".)

Re:kwl

[rk075906]

windows new slogan. How do you want to crash today?

Re:Well...

[tt077183]

Microsoft developers are someone that knows how Windows works too, however occasionally they will release a patch that will break stuff under some scenarios. There is a HUGE test coverage that one would have to run to make sure the patch is not going to break HUGE amount of people. MS software is used in combination with all sorts of software, hardware etc. Even ib Bill Gates wrote the fix himself (or substitute Bill's name for whoever from MS you think knows Windows best), I am not sure I'd put it anywhere in production unless it was tested