Microsoft Flip-Flops On URI Protocol Handing Flaw

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

like a dervish, they are

[User 956 (568564)]

After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

If it took them that many months, it sounds like they did a 1260.

Re:like a dervish, they are

[ricebowl (999467)]

If it took them that many months, it sounds like they did a 1260.

And here I'm still saving to buy the 360...

Sigh...

Re:like a dervish, they are

[ozmanjusri (601766)]

Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

Re:

[mrbluze (1034940)]

Maybe it took them so long because they had to bug-fix the patch, so the replacement vulnerability won't be so easy for non-spooks to detect.

Re:

[rk076200 (1159895)]

Microsoft has finally accepted responsibility for its role in a security weakness that allows malicious websites to run harmful code on an end user's machine.

Good.

[Futurepower(R) (558542)]

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

Re:

[Spy der Mann (805235)]

Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

Who's gonna be held accountable for that?

Re:Good.

[Cassius Corodes (1084513)]

Me. I'm gonna get a week's vacation docked.

Re:Good.

[dedazo (737510)]

No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.

Re:

[clsours (1089711)]

No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.

Re:Good.

[MadMidnightBomber (894759)]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

Be afraid. Be very afraid.

[1] OB /. - or possibly to goatse

Only a problem if you omit the http:

[giafly (926567)]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'.
Now visit www.slashdot.org in IE.

Visiting www.slashdot.org [slashdot.org] is broken
Visiting http://www.slashdot.org/ [slashdot.org] works fine

IE seems to store the http: in favorites etc., so it's not much of a problem.
Also it doesn't affect Firefox so almost nobody will notice.

Re:

[mrRay720 (874710)]

Actually this sounds like expected behaviour. www.slashdot.org isn't a valid address, people are just used to the user-friendly auto-appending of http://./ [.]

www.slashdot.org is the name of a file in a location that IE searches for named shortcuts.

What IE is doing in this case is preferring an exact match over an autoguess.

The only arguement here is if IE should be searching the desktop for URL shortcuts, and considering how many people use their desktop in lieu of the favourites menu, I don't think that it's

Re:Firefox?

[Kalriath (849904)]

Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).

Re:

[by Anonymous Coward]

The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done

OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.

1) program A decides it wants to run program B with some arguments
2) program A assembles the argument list, and selects a member of t

Re:

[Kalriath (849904)]

Well, here's the thing:

What's exec()? Windows has ShellExecute(). ShellExecute for parameters accepts a single blind string. With this string, it passes it straight to an app to decide how it wants to interpret it. In your example, it's because it doesn't need to escape quotes to open "C:\Program Files\Somewhere" - which is good, because it has no idea how your application escapes quotes anyway. Does it use C syntax? Does it use BASIC syntax? Does it use Pascal syntax? Since it doesn't know these, i

Re:

[HeroreV (869368)]

If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?

OT: Your last blog entry

[dylan_- (1661)]

Font sizes are in points. They won't be the correct size if your display size isn't being picked up correctly, which sounds likely. Try setting DisplaySize in your xorg.conf and see if it makes a difference. Remember to make a backup copy first, so you can just copy it back in play if something screws up.

Re:

[Random832 (694525)]

which is good, because it has no idea how your application escapes quotes anyway.

Well, for a filename (your "C:\Program Files\somewhere" example is not a URL), this issue is mitigated by the fact that filenames cannot contain quotes.

It would not, though, be out of line for applications passing URLs into shellexec to escape quotes (at the very least, double quotes) with URI escaping syntax, in order to guarantee that _they_ do not contain quotes. They should already be escaping spaces, anyway, so this shouldn't have happened regardless

Re:Firefox?

[ozmanjusri (601766)]

Without Firefox, NOTHING was vulnerable.

Rubbish.

There's a whole shopping list of apps, including IE7 [secunia.com] itself that were exposed to this vulnerability. Firefox was just the first to be accused.

Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

Re:

[ozmanjusri (601766)]

"M$" has modified the way it works, which does not mean it's "mistaken".

Yes it does.

This is from the Technet mea culpa blog posting by MSRC's Jonathan.

With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed.

Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.

Re:

[dedazo (737510)]

I wasn't referring to the vulnerability in shell32 itself, but to the way applications handle escape quotes in URIs passed to registered handlers like "chrome://".

Most people (yourself included, apparently) don't understand that this is a two-way street. Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them. But then it's so much fun to spin that part, isn't it?

Re:

[dedazo (737510)]

Your bosses have accepted it's their problem.

Ooooh, that's so clever. Well, that does it for me. I won't bother you anymore, since surely there are other minions of the evil empire you must do battle with?

Good luck!

Re:Fanboy Bullshit at it's Finest.

[Planesdragon (210349)]

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.

Re:

[absoluteflatness (913952)]

Psst. Netscape is not a competitor to Windows. Never was...
MS cripples themselves when they try and lean on Windows...

Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way stre

Re:

[houseofzeus (836938)]

Being a monopoly is not, in itself, illegal.

Re:

[JoelKatz (46478)]

It's not. It's nice that they fixed it, but it wasn't there bug. Firefox, and other programs, were passing invalid URLs from untrusted sources to the operating system.

The Point: They're Still Missing It.

[Tackhead (54550)]

From TFA:
> For traditionally "safe" protocols like mailto: or http:

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

Re:The Point: They're Still Missing It.

[drsmithy (35869)]

And that's where my co-workers heard the cry of "You dumb motherfuckers".

Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Re:

[plover (150551)]

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

For traditionally "safe" protocols like mailto: or http: [human] application [writer]s often just verify the prefix

Re:

[drsmithy (35869)]

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

And when you expand my sentence appropriately, you get:

It's pretty clear from context that the implication is other applications [' developers] consider those prefixes as "traditionally safe", and not that [the average] Microsoft [developer] does.

At that point, it re

Re:

[Alwin Henseler (640539)]

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and

Re:The Point: They're Still Missing It.

[Beryllium Sphere(tm) (193358)]

More insight into how Microsoft thinks about these things at Larry Osterman's blog [msdn.com].

Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.

Damn you, Microsoft.

[Jugalator (259273)]

Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)

Re:

[fbjon (692006)]

That would be point one [slashdot.org] then.

The "New" Microsoft

[Propaganda13 (312548)]

After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."

Simple

[Vlaadimir (1146843)]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

Re:

[micheas (231635)]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

That would work if you didn't have to make an exception for the Outlook Web Access Client for exchange. That has all sorts of invalid URL's in it that should never be accepted by a web browser.

Worst thing Netscape and Microsoft ever did is allow their browsers to render

Re:

[micheas (231635)]

Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

I cannot remember what the issue is exactly but it has (had? I have been mercifully spared from exchange 2005) to do with % signs in email subjects or file names.

My Flaw

[The Living Fractal (162153)]

I have a "handing" flaw. A protocol has a "handling" flaw.

My flaw is much more personal ;p

Pay attention

[by Anonymous Coward]

You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.

Re:Pay attention

[Alwin Henseler (640539)]

There were two flaws: One in Firefox, one in ShellExecute.

Excellent point.

Microsoft cannot and did not fix the flaw in Firefox (..)

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

Re:

[suv4x4 (956391)]

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes th

Nothing new here

[GodfatherofSoul (174979)]

Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.

Re:

[rs79 (71822)]

"But the RFC says..."

Welcome to reality. If you made a mail daemon that worked according to spec nobody would be able to use it.

If you saw the errors in SSL browsers ignoered just to they look like they're working you'd shit.

Did the submitter read the links they included?

[Keeper (56691)]

There are two "bugs" being talked about.

1) an exploit in firefox URI protocol handler
2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

Apparently the submitter isn't able to differentiate #2 from #1.

The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.

Re:

[Random832 (694525)]

And while we're here, can anyone explain why the firefoxurl handler exists at all?

Though these are url handler keys instead of programs, imagine that firefoxurl is the real binary, and firefox sets up http, ftp, and so on, as symlinks to it. It can't put the real handler at 'http', since that could be overwritten by IE if someone opens IE and checks "make this my default web browser".

Whole thing reminds me of PHP XSS attacks...

[LingNoi (1066278)]

Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

This is the exact same situation. There are problems with un-escaped data and Microsoft doesn't want to bother much like the PHP team did before they changed their minds about the situation.

The only difference here is the way the code executes. I personally think it's not Microsoft's fault but they should fix it anyway.

Re:

[Gary W. Longsine (124661)]

Even though the parent forgot, "... and blame the developers of third party applications..." it was otherwise accurate, if blunt. The Troll mod is unfair. Mod, you will be punished in meta-mod land.

Re:

[Lord Bitman (95493)]

The phrase "flip-flops" officially died the first time one pundit quoted another by using it without attributing the source. Same with quagmire. These are now gone from the English language. Please do not use them.