Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Microsoft IT

Microsoft Flip-Flops On URI Protocol Handing Flaw 126

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."
This discussion has been archived. No new comments can be posted.

Microsoft Flip-Flops On URI Protocol Handing Flaw

Comments Filter:
  • by User 956 ( 568564 ) on Thursday October 11, 2007 @06:48PM (#20947761) Homepage
    After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

    If it took them that many months, it sounds like they did a 1260.
  • Good. (Score:5, Insightful)

    by Futurepower(R) ( 558542 ) on Thursday October 11, 2007 @06:51PM (#20947795) Homepage
    Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."
    • Re: (Score:3, Insightful)

      Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

      Who's gonna be held accountable for that?
    • Re:Good. (Score:4, Informative)

      by dedazo ( 737510 ) on Thursday October 11, 2007 @06:55PM (#20947847) Journal
      No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.
      • Re: (Score:3, Insightful)

        by clsours ( 1089711 )
        No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.
        • Re:Good. (Score:5, Interesting)

          by MadMidnightBomber ( 894759 ) on Friday October 12, 2007 @03:03AM (#20950511)
          Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

          Be afraid. Be very afraid.

          [1] OB /. - or possibly to goatse
          • Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'.
            Now visit www.slashdot.org in IE.

            Visiting www.slashdot.org [slashdot.org] is broken
            Visiting http://www.slashdot.org/ [slashdot.org] works fine

            IE seems to store the http: in favorites etc., so it's not much of a problem.
            Also it doesn't affect Firefox so almost nobody will notice.

            • Re: (Score:3, Informative)

              by mrRay720 ( 874710 )
              Actually this sounds like expected behaviour. www.slashdot.org isn't a valid address, people are just used to the user-friendly auto-appending of http://./ [.]

              www.slashdot.org is the name of a file in a location that IE searches for named shortcuts.

              What IE is doing in this case is preferring an exact match over an autoguess.

              The only arguement here is if IE should be searching the desktop for URL shortcuts, and considering how many people use their desktop in lieu of the favourites menu, I don't think that it's
      • Firefox? (Score:1, Troll)

        by Erris ( 531066 )

        They're fixing other applications (Firefox in this case)

        Did you really say and believe that? Congratulations, you have outdone M$ themselves. Let's review:

        • the problem happened if you installed IE7, not before.
        • M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

        How is that Firefox again? Yes, I saw in the recap where "MSRCTEAM" mentions their previous friendly blame cast, I mean "advice", to the Firefox team. Can you tell me how that intersects reality again?

        • Re: (Score:1, Informative)

          by Anonymous Coward
          Firefox installed the URL handler that was vulnerable. The fact that IE6 and IE7 treat URLs in different ways caused it not to be vulnerable under IE6.

          But it was still Firefox that installed the vulnerability. Without Firefox, NOTHING was vulnerable.

          So, yes, they're fixing Firefox's bug.
          • Re:Firefox? (Score:4, Informative)

            by ozmanjusri ( 601766 ) <.moc.liamtoh. .ta. .bob_eissua.> on Thursday October 11, 2007 @08:59PM (#20948779) Journal
            Without Firefox, NOTHING was vulnerable.

            Rubbish.

            There's a whole shopping list of apps, including IE7 [secunia.com] itself that were exposed to this vulnerability. Firefox was just the first to be accused.

            Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

        • Re:Firefox? (Score:5, Informative)

          by Kalriath ( 849904 ) on Thursday October 11, 2007 @08:58PM (#20948767)
          Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

          The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

          One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).
          • Re: (Score:2, Informative)

            by Anonymous Coward
            The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done

            OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.

            1) program A decides it wants to run program B with some arguments
            2) program A assembles the argument list, and selects a member of t
            • Well, here's the thing:

              What's exec()? Windows has ShellExecute(). ShellExecute for parameters accepts a single blind string. With this string, it passes it straight to an app to decide how it wants to interpret it. In your example, it's because it doesn't need to escape quotes to open "C:\Program Files\Somewhere" - which is good, because it has no idea how your application escapes quotes anyway. Does it use C syntax? Does it use BASIC syntax? Does it use Pascal syntax? Since it doesn't know these, i
              • Re: (Score:3, Insightful)

                by HeroreV ( 869368 )
                If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?
                • Font sizes are in points. They won't be the correct size if your display size isn't being picked up correctly, which sounds likely. Try setting DisplaySize in your xorg.conf and see if it makes a difference. Remember to make a backup copy first, so you can just copy it back in play if something screws up.
                • Ok, say Microsoft did decide to handle that and validate the http protocol URI's. What about the umpteen other URI types that can be exploited in the same manner? Would you expect Microsoft to work out what constitutes 'valid' for each of these too (many of which may well be wholely and solely products of 3rd party vendors)? Or would you expect that they just handle the common ones like http? If the later then who gets to decide what is common or valid, and who is to blame later on when third party X chan
                • What if a user opened cmd.exe and executed "Firefox ". Is cmd.exe supposed to clean up the command line before passing it to Firefox? It's up to apps themselves to parse and validate whatever is passed as the command line. This is programming 101 stuff.
                • by g1zmo ( 315166 )
                  Software Development Rule #7:

                  Be liberal in what you accept and strict in what you emit.
              • which is good, because it has no idea how your application escapes quotes anyway.

                Well, for a filename (your "C:\Program Files\somewhere" example is not a URL), this issue is mitigated by the fact that filenames cannot contain quotes.

                It would not, though, be out of line for applications passing URLs into shellexec to escape quotes (at the very least, double quotes) with URI escaping syntax, in order to guarantee that _they_ do not contain quotes. They should already be escaping spaces, anyway, so this shouldn't have happened regardless

          • Is Windows a virus? No, Windows is not a virus. Here's what viruses do: 1. They replicate quickly - okay, Windows does that. 2. Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that. 3. Viruses will, from time to time, trash your hard disk - okay, Windows does that too. 4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. 5. Viruses will occas
        • Re: (Score:1, Flamebait)

          by dedazo ( 737510 )
          hi twitter [slashdot.org]. How's that karma doing? Had to fall back on the ol' sockpuppet, eh?

          the problem happened if you installed IE7, not before.

          And?

          M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

          "M$" has modified the way it works, which does not mean it's "mistaken". And these are not URLs, they're URIs passed to registered moniker handlers. You don't even know what you're talking about, do you?

          How is that Firefox again?

          They registered a handler with the shell. If they hadn't do

          • Re: (Score:3, Interesting)

            by ozmanjusri ( 601766 )
            "M$" has modified the way it works, which does not mean it's "mistaken".

            Yes it does.

            This is from the Technet mea culpa blog posting by MSRC's Jonathan.

            With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed.

            Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.

            • by dedazo ( 737510 )
              I wasn't referring to the vulnerability in shell32 itself, but to the way applications handle escape quotes in URIs passed to registered handlers like "chrome://".

              Most people (yourself included, apparently) don't understand that this is a two-way street. Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them. But then it's so much fun to spin that part, isn't it?

              • Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them.

                Which platforms does this vulnerability exist on?

                Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

                Your bosses have accepted it's their problem. Why don't you?

                • by dedazo ( 737510 )

                  Your bosses have accepted it's their problem.

                  Ooooh, that's so clever. Well, that does it for me. I won't bother you anymore, since surely there are other minions of the evil empire you must do battle with?

                  Good luck!

                • Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

                  Well, if you didn't have a computer, then it wouldn't be a problem at all, so I guess it's Charles Babbage's fault. Then again, if he wasn't born, it still wouldn't have happened, so it's his parents fault. I guess also if the Earth didn't exist, then it's the fault of either your chosen deity or science, depending.

                  Just because a problem can't exist without something else, it doesn't mean it's their fault. Here we go, car analogy - someone smashes into the side of your car and injures you. Once out of hosp

    • by JoelKatz ( 46478 )
      It's not. It's nice that they fixed it, but it wasn't there bug. Firefox, and other programs, were passing invalid URLs from untrusted sources to the operating system.
    • In a world without walls and fences - who needs windows and gates?!
  • by Tackhead ( 54550 ) on Thursday October 11, 2007 @06:56PM (#20947849)
    From TFA:
    > For traditionally "safe" protocols like mailto: or http:

    And that's where my co-workers heard the cry of "You dumb motherfuckers".

    It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

    While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

    If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

    • by drsmithy ( 35869 ) <drsmithy@gm[ ].com ['ail' in gap]> on Thursday October 11, 2007 @08:09PM (#20948363)

      And that's where my co-workers heard the cry of "You dumb motherfuckers".

      Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

      For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

      And that's where my co-workers heard the cry of "You dumb motherfuckers".

      It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

      • by plover ( 150551 ) *

        It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

        Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

        For traditionally "safe" protocols like mailto: or http: [human] application [writer]s often just verify the prefix

        • by drsmithy ( 35869 )

          Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

          And when you expand my sentence appropriately, you get:

          It's pretty clear from context that the implication is other applications [' developers] consider those prefixes as "traditionally safe", and not that [the average] Microsoft [developer] does.

          At that point, it re

    • Re: (Score:3, Insightful)

      While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

      Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

      One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and

    • by Beryllium Sphere(tm) ( 193358 ) on Thursday October 11, 2007 @11:09PM (#20949575) Journal
      More insight into how Microsoft thinks about these things at Larry Osterman's blog [msdn.com].

      Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.
  • Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)
  • by Propaganda13 ( 312548 ) on Thursday October 11, 2007 @07:46PM (#20948205)
    After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."
  • Simple (Score:4, Interesting)

    by Vlaadimir ( 1146843 ) on Thursday October 11, 2007 @07:48PM (#20948217)
    If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.
    • by micheas ( 231635 )

      If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

      That would work if you didn't have to make an exception for the Outlook Web Access Client for exchange. That has all sorts of invalid URL's in it that should never be accepted by a web browser.

      Worst thing Netscape and Microsoft ever did is allow their browsers to render

      • Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..
        • by micheas ( 231635 )

          Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..


          I cannot remember what the issue is exactly but it has (had? I have been mercifully spared from exchange 2005) to do with % signs in email subjects or file names.
          • hmm, i'll have to check that out. I've seen % signs, but they should be there... %27 replaces ' IIRC, whcih is the proper escaping.
      • I think this has more to do with Microsoft trying to gain the high ground by saying that we validate our input before passing it to third party applications. Where validating user input, really is a good thing is not always easy.
    • ...then other browsers...

      IE isn't a web browser. It's a quasi-web browser. The second Microsoft chose to leverage non-standard features in disregard to how it would cripple the platform-independent design of the web, IE became a quasi-web browser. Of course, one could argue that most "web browsers" fall into that category (Netscape, Firefox, Opera, etc all adding-on Java, Flash plug-ins, etc). At that point, though, one can rational argue that each quasi-web browser falls into its own category, so the

  • I have a "handing" flaw. A protocol has a "handling" flaw.

    My flaw is much more personal ;p
  • Pay attention (Score:5, Informative)

    by Anonymous Coward on Thursday October 11, 2007 @07:50PM (#20948233)
    You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.
    • Re:Pay attention (Score:5, Interesting)

      by Alwin Henseler ( 640539 ) on Thursday October 11, 2007 @09:18PM (#20948893)

      There were two flaws: One in Firefox, one in ShellExecute.
      Excellent point.

      Microsoft cannot and did not fix the flaw in Firefox (..)
      Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

      Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

      • Re: (Score:3, Insightful)

        by suv4x4 ( 956391 )
        Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

        So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

        Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes th
      • by nsebban ( 513339 )
        I'm very curious about the way the community would react if Microsoft provided a patch to an open-source app, just like they could have done in this case.
  • Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.
    • by rs79 ( 71822 )
      "But the RFC says..."

      Welcome to reality. If you made a mail daemon that worked according to spec nobody would be able to use it.

      If you saw the errors in SSL browsers ignoered just to they look like they're working you'd shit.
  • by Keeper ( 56691 ) on Thursday October 11, 2007 @10:27PM (#20949369)
    There are two "bugs" being talked about.

    1) an exploit in firefox URI protocol handler
    2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

    Apparently the submitter isn't able to differentiate #2 from #1.

    The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.
  • From the MSRC blog post (linked in the summary):

    While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the 3rd party applications intended those protocol handlers to function. As a result, we recommend that the owners of the applications themselves address the potential issues since they understand their code the best. For example, application protocol handler authors must take special care to validate every argument which is passed in on the co

  • Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

    This is the exact same situation. There are problems with un-escaped data and Microsoft doesn't want to bother much like the PHP team did before they changed their minds about the situation.

    The only difference here is the way the code executes. I personally think it's not Microsoft's fault but they should fix it anyway.
    • Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

      wtf does "escape all data" even mean? Data coming out of the database gets escaped? Data read in from files? Contents of string literals? Arguments to "echo"? How does it know whether to escape for SQL, for HTML [&lt; etc], or for something else? magic? You put "XSS" in the subject line, yet talk about MySQL in the body, which have nothing to do with each other (hint: XSS attacks are usually caused when you actually WANT the other person to be able to write HTML generally, but fail to prevent them from

      • No, XSS != SQL injection. SQL injection is more relevant here, and to prevent it, you escape any data you didn't generate yourself before using it in any way with an SQL query. Even if that data came from the database.

        See www.php.net and look up mysql_real_escape_string() and pg_escape_string(). There are other functions for other purposes, but proper use of one of these two will save you lots of pain.
        • Yeah, but the GP suggested that the next version of PHP will "automatically escape all data", thus magically preventing both sql injections AND xss.
  • I'm quite aware that this is completely off-topic, but "Flip-Flops"? This locution, imported from contemporary political discourse, no doubt, irritates me to no end. Why not just say what you mean--namely: "changes its (or, in the case of persons, his/her) mind"? Or is this neologism supposed to mean something else that I'm not aware of (I doubt it, but who knows)?
    • The phrase "flip-flops" officially died the first time one pundit quoted another by using it without attributing the source. Same with quagmire. These are now gone from the English language. Please do not use them.
  • If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

    So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs?
    I'd say, both.
  • I just stated this on the Adobe vulnerability story.... clickie to see the irony [slashdot.org]

    My post:

    "Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is."

    Replies:

    "From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can kn
  • Is anyone surprised that a big business swears there is no problem until they have a solution.
    • A company says "We offer the best in security to ensure the protection of your business without any problems".

      Few weeks later..

      The company says "We have discovered an issue with bla bla bla, please visit bla bla bla to get the update".
  • Usually, the terms `flip-flop` and `Microsoft` together in a sentence bring out the MS-bashers and Linux advocates. But to be frank, this is a good thing for Microsoft to do. Their previous argument was pretty solid, because how are Microsoft to anticipate each and every URL registration made by a third-party application writer? Answer: they can't.

    So by now admitting to plans to write a more strict handling routine for the shell URI interpreter, Microsoft is not kowtowing to pressure from the free mark

Whoever dies with the most toys wins.

Working...