Microsoft Flip-Flops On URI Protocol Handing Flaw

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

like a dervish, they are

[User 956]

After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

If it took them that many months, it sounds like they did a 1260.

Re:like a dervish, they are

[ricebowl]

If it took them that many months, it sounds like they did a 1260.

And here I'm still saving to buy the 360...

Sigh...

Re:like a dervish, they are

[ozmanjusri]

Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

Re:

[Anonymous Coward]

True.

But, you can still buy a disposable 360 once a monthfor five years, for less than half the price of a single PS3!

Re:

[ricebowl]

Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

True enough, but will my glow-stick and cereal box be repaired under an extended warranty [xbox.com] when it inevitably falls apart, or I add milk to the contents?

I don't think Mr. Kelloggs will be forthcoming...

Re:

[dpiven]

And it'll taste better, and be more nutritious!

Re:

[rinaazlin]

even you buy 360, will the virus stop coming.. maybe not!

Re:

[mrbluze]

Maybe it took them so long because they had to bug-fix the patch, so the replacement vulnerability won't be so easy for non-spooks to detect.

Re:

[rk076200]

Microsoft has finally accepted responsibility for its role in a security weakness that allows malicious websites to run harmful code on an end user's machine.

Re:

[davidsyes]

What were they doing? Chanting runes, or calculating by an excel error?

Good.

[Futurepower(R)]

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

Re:

[Spy der Mann]

Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

Who's gonna be held accountable for that?

Re:Good.

[Cassius Corodes]

Me. I'm gonna get a week's vacation docked.

Re:Good.

[dedazo]

No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.

Re:

[clsours]

No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.

Re:Good.

[MadMidnightBomber]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

Be afraid. Be very afraid.

[1] OB /. - or possibly to goatse

Only a problem if you omit the http:

[giafly]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'.
Now visit www.slashdot.org in IE.

Visiting www.slashdot.org [slashdot.org] is broken
Visiting http://www.slashdot.org/ [slashdot.org] works fine

IE seems to store the http: in favorites etc., so it's not much of a problem.
Also it doesn't affect Firefox so almost nobody will notice.

Re:

[mrRay720]

Actually this sounds like expected behaviour. www.slashdot.org isn't a valid address, people are just used to the user-friendly auto-appending of http://./ [.]

www.slashdot.org is the name of a file in a location that IE searches for named shortcuts.

What IE is doing in this case is preferring an exact match over an autoguess.

The only arguement here is if IE should be searching the desktop for URL shortcuts, and considering how many people use their desktop in lieu of the favourites menu, I don't think that it's

Re:Fanboy Bullshit at it's Finest.

[Planesdragon]

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.

Re:

[absoluteflatness]

Psst. Netscape is not a competitor to Windows. Never was...
MS cripples themselves when they try and lean on Windows...

Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way stre

Re:

[durin]

Microsoft is doing something right

Unfortunately, the thing they're doing right is wrong (they're a monopoly, remember?)

Re:

[houseofzeus]

Being a monopoly is not, in itself, illegal.

Re:

[fork_daemon]

Being a monopoly is not, in itself, illegal.

It isn't illegal, but it leads to illegal behaviour. Remember the buying the vote for OOXML story?

Re:

[houseofzeus]

Indeed, many people seem to mistakenly believe the former though, which is my gripe.

Re:

[pyrr]

Just a quick point. UNIX=!free and it predates Microsoft operating systems by a pretty substantial span of time, and it's not a consumer desktop OS. BeOS=!free and kind of had a dearth of software developed for its platform OS|2=!free and it's basically a fork of NT from when IBM & Microsoft decided to take their respective marbles and go home when their collaboration fell apart. IBM didn't market it anywhere near as aggressively as Microsoft marketed NT. Mac=!free and the hardware has typically carrie

Firefox?

[Erris]

They're fixing other applications (Firefox in this case)

Did you really say and believe that? Congratulations, you have outdone M$ themselves. Let's review:

• the problem happened if you installed IE7, not before.
• M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

How is that Firefox again? Yes, I saw in the recap where "MSRCTEAM" mentions their previous friendly blame cast, I mean "advice", to the Firefox team. Can you tell me how that intersects reality again?

Re:

[Anonymous Coward]

Firefox installed the URL handler that was vulnerable. The fact that IE6 and IE7 treat URLs in different ways caused it not to be vulnerable under IE6.

But it was still Firefox that installed the vulnerability. Without Firefox, NOTHING was vulnerable.

So, yes, they're fixing Firefox's bug.

Re:Firefox?

[ozmanjusri]

Without Firefox, NOTHING was vulnerable.

Rubbish.

There's a whole shopping list of apps, including IE7 [secunia.com] itself that were exposed to this vulnerability. Firefox was just the first to be accused.

Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

Re:Firefox?

[Kalriath]

Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).

Re:

[Anonymous Coward]

The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done

OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.

1) program A decides it wants to run program B with some arguments
2) program A assembles the argument list, and selects a member of t

Re:

[Kalriath]

Well, here's the thing:

What's exec()? Windows has ShellExecute(). ShellExecute for parameters accepts a single blind string. With this string, it passes it straight to an app to decide how it wants to interpret it. In your example, it's because it doesn't need to escape quotes to open "C:\Program Files\Somewhere" - which is good, because it has no idea how your application escapes quotes anyway. Does it use C syntax? Does it use BASIC syntax? Does it use Pascal syntax? Since it doesn't know these, i

Re:

[HeroreV]

If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?

OT: Your last blog entry

[dylan_-]

Font sizes are in points. They won't be the correct size if your display size isn't being picked up correctly, which sounds likely. Try setting DisplaySize in your xorg.conf and see if it makes a difference. Remember to make a backup copy first, so you can just copy it back in play if something screws up.

Re:

[houseofzeus]

Ok, say Microsoft did decide to handle that and validate the http protocol URI's. What about the umpteen other URI types that can be exploited in the same manner? Would you expect Microsoft to work out what constitutes 'valid' for each of these too (many of which may well be wholely and solely products of 3rd party vendors)? Or would you expect that they just handle the common ones like http? If the later then who gets to decide what is common or valid, and who is to blame later on when third party X chan

Re:

[houseofzeus]

If it were as simple as just applying the RFC for generic URIs this would never have snowballed the way it has. The point is that 3rd party applications can still be and will continue to be vulnerable in this manner if they don't validate URI's from untrusted sources. I suspect the reason URIs were left unvalidated by ShellExec in the first place may have been that if you put generic validation there 3rd parties could well get lazy and fail to do their own further validation (with the additional context of

Re:

[I'm Don Giovanni]

What if a user opened cmd.exe and executed "Firefox ". Is cmd.exe supposed to clean up the command line before passing it to Firefox? It's up to apps themselves to parse and validate whatever is passed as the command line. This is programming 101 stuff.

Re:

[g1zmo]

Software Development Rule #7:

Be liberal in what you accept and strict in what you emit.

Re:

[Random832]

which is good, because it has no idea how your application escapes quotes anyway.

Well, for a filename (your "C:\Program Files\somewhere" example is not a URL), this issue is mitigated by the fact that filenames cannot contain quotes.

It would not, though, be out of line for applications passing URLs into shellexec to escape quotes (at the very least, double quotes) with URI escaping syntax, in order to guarantee that _they_ do not contain quotes. They should already be escaping spaces, anyway, so this shouldn't have happened regardless

Re:

[rk075906]

Is Windows a virus? No, Windows is not a virus. Here's what viruses do: 1. They replicate quickly - okay, Windows does that. 2. Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that. 3. Viruses will, from time to time, trash your hard disk - okay, Windows does that too. 4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. 5. Viruses will occas

Re:

[dedazo]

hi twitter [slashdot.org]. How's that karma doing? Had to fall back on the ol' sockpuppet, eh?

the problem happened if you installed IE7, not before.

And?

M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

"M$" has modified the way it works, which does not mean it's "mistaken". And these are not URLs, they're URIs passed to registered moniker handlers. You don't even know what you're talking about, do you?

How is that Firefox again?

They registered a handler with the shell. If they hadn't do

Re:

[ozmanjusri]

"M$" has modified the way it works, which does not mean it's "mistaken".

Yes it does.

This is from the Technet mea culpa blog posting by MSRC's Jonathan.

With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed.

Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.

Re:

[dedazo]

I wasn't referring to the vulnerability in shell32 itself, but to the way applications handle escape quotes in URIs passed to registered handlers like "chrome://".

Most people (yourself included, apparently) don't understand that this is a two-way street. Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them. But then it's so much fun to spin that part, isn't it?

Re:

[ozmanjusri]

Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them.

Which platforms does this vulnerability exist on?

Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

Your bosses have accepted it's their problem. Why don't you?

Re:

[dedazo]

Your bosses have accepted it's their problem.

Ooooh, that's so clever. Well, that does it for me. I won't bother you anymore, since surely there are other minions of the evil empire you must do battle with?

Good luck!

Re:

[Macthorpe]

Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

Well, if you didn't have a computer, then it wouldn't be a problem at all, so I guess it's Charles Babbage's fault. Then again, if he wasn't born, it still wouldn't have happened, so it's his parents fault. I guess also if the Earth didn't exist, then it's the fault of either your chosen deity or science, depending.

Just because a problem can't exist without something else, it doesn't mean it's their fault. Here we go, car analogy - someone smashes into the side of your car and injures you. Once out of hosp

Re:

[dedazo]

That's impressive, but what does that have to do with the topic of this article?

Re:

[SL Baur]

Microsoft has been a destroyer of standards, rather than a builder of standards.

You must be new here. They're only doing what titans in the computer industry have done in the past. IBM (with OS 360), DEC (with VMS), etc.

Standards have traditionally been whoever has the largest market share. They may change from vendor to vendor, but it has always been this way. Always.

Sigh. When I went through college, there were no computer majors, but now it definitely seems time that there should be computer history majors ...

Where's the logic?

[Futurepower(R)]

You seem to be saying that abuse is okay of someone has done that kind of abuse before.

Re:

[JoelKatz]

It's not. It's nice that they fixed it, but it wasn't there bug. Firefox, and other programs, were passing invalid URLs from untrusted sources to the operating system.

Re:

[rk075906]

In a world without walls and fences - who needs windows and gates?!

The Point: They're Still Missing It.

[Tackhead]

From TFA:
> For traditionally "safe" protocols like mailto: or http:

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

Re:The Point: They're Still Missing It.

[drsmithy]

And that's where my co-workers heard the cry of "You dumb motherfuckers".

Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Re:

[plover]

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

For traditionally "safe" protocols like mailto: or http: [human] application [writer]s often just verify the prefix

Re:

[drsmithy]

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

And when you expand my sentence appropriately, you get:

It's pretty clear from context that the implication is other applications [' developers] consider those prefixes as "traditionally safe", and not that [the average] Microsoft [developer] does.

At that point, it re

Re:

[Alwin Henseler]

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and

Re:The Point: They're Still Missing It.

[Beryllium Sphere(tm)]

More insight into how Microsoft thinks about these things at Larry Osterman's blog [msdn.com].

Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.

Re:

[thegrassyknowl]

"There's nothing wrong with it" ---(M$ To English)---> "We're too stupid to be able to fix this bug so we'll claim it works as expected and is a feature then tell the users that it's their fault. At least our users are stupider than us."

Re:

[Gary W. Longsine]

Even though the parent forgot, "... and blame the developers of third party applications..." it was otherwise accurate, if blunt. The Troll mod is unfair. Mod, you will be punished in meta-mod land.

Damn you, Microsoft.

[Jugalator]

Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)

Re:

[fbjon]

That would be point one [slashdot.org] then.

The "New" Microsoft

[Propaganda13]

After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."

Simple

[Vlaadimir]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

Re:

[micheas]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

That would work if you didn't have to make an exception for the Outlook Web Access Client for exchange. That has all sorts of invalid URL's in it that should never be accepted by a web browser.

Worst thing Netscape and Microsoft ever did is allow their browsers to render

Re:

[plague3106]

Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

Re:

[micheas]

Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

I cannot remember what the issue is exactly but it has (had? I have been mercifully spared from exchange 2005) to do with % signs in email subjects or file names.

Re:

[plague3106]

hmm, i'll have to check that out. I've seen % signs, but they should be there... %27 replaces ' IIRC, whcih is the proper escaping.

Re:

[Vlaadimir]

I think this has more to do with Microsoft trying to gain the high ground by saying that we validate our input before passing it to third party applications. Where validating user input, really is a good thing is not always easy.

Re:

[10101001 10101001]

...then other browsers...

IE isn't a web browser. It's a quasi-web browser. The second Microsoft chose to leverage non-standard features in disregard to how it would cripple the platform-independent design of the web, IE became a quasi-web browser. Of course, one could argue that most "web browsers" fall into that category (Netscape, Firefox, Opera, etc all adding-on Java, Flash plug-ins, etc). At that point, though, one can rational argue that each quasi-web browser falls into its own category, so the

My Flaw

[The Living Fractal]

I have a "handing" flaw. A protocol has a "handling" flaw.

My flaw is much more personal ;p

Pay attention

[Anonymous Coward]

You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.

Re:Pay attention

[Alwin Henseler]

There were two flaws: One in Firefox, one in ShellExecute.

Excellent point.

Microsoft cannot and did not fix the flaw in Firefox (..)

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

Re:

[suv4x4]

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes th

Re:

[nsebban]

I'm very curious about the way the community would react if Microsoft provided a patch to an open-source app, just like they could have done in this case.

Re:

[plague3106]

Hmm.. I happen to have Vista Ultimate, and Office 2007. I just clicked a link in Outlook and it opened FF just fine even though FF wasn't already open. How do you reproduce the error you describe?

Re:

[plague3106]

Hmm, I'm on the 32-bit OS. Maybe it was fixed in a recent update?

Nothing new here

[GodfatherofSoul]

Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.

Re:

[rs79]

"But the RFC says..."

Welcome to reality. If you made a mail daemon that worked according to spec nobody would be able to use it.

If you saw the errors in SSL browsers ignoered just to they look like they're working you'd shit.

Did the submitter read the links they included?

[Keeper]

There are two "bugs" being talked about.

1) an exploit in firefox URI protocol handler
2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

Apparently the submitter isn't able to differentiate #2 from #1.

The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.

Re:

[Random832]

And while we're here, can anyone explain why the firefoxurl handler exists at all?

Though these are url handler keys instead of programs, imagine that firefoxurl is the real binary, and firefox sets up http, ftp, and so on, as symlinks to it. It can't put the real handler at 'http', since that could be overwritten by IE if someone opens IE and checks "make this my default web browser".

Summary is wrong

[HappyUserPerson]

From the MSRC blog post (linked in the summary):

While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the 3rd party applications intended those protocol handlers to function. As a result, we recommend that the owners of the applications themselves address the potential issues since they understand their code the best. For example, application protocol handler authors must take special care to validate every argument which is passed in on the co

Whole thing reminds me of PHP XSS attacks...

[LingNoi]

Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

This is the exact same situation. There are problems with un-escaped data and Microsoft doesn't want to bother much like the PHP team did before they changed their minds about the situation.

The only difference here is the way the code executes. I personally think it's not Microsoft's fault but they should fix it anyway.

Re:

[Random832]

Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

wtf does "escape all data" even mean? Data coming out of the database gets escaped? Data read in from files? Contents of string literals? Arguments to "echo"? How does it know whether to escape for SQL, for HTML [< etc], or for something else? magic? You put "XSS" in the subject line, yet talk about MySQL in the body, which have nothing to do with each other (hint: XSS attacks are usually caused when you actually WANT the other person to be able to write HTML generally, but fail to prevent them from

Re:

[Limburgher]

No, XSS != SQL injection. SQL injection is more relevant here, and to prevent it, you escape any data you didn't generate yourself before using it in any way with an SQL query. Even if that data came from the database.

See www.php.net and look up mysql_real_escape_string() and pg_escape_string(). There are other functions for other purposes, but proper use of one of these two will save you lots of pain.

Re:

[Random832]

Yeah, but the GP suggested that the next version of PHP will "automatically escape all data", thus magically preventing both sql injections AND xss.

"Flip-Flops"?

[Mode_Locrian]

I'm quite aware that this is completely off-topic, but "Flip-Flops"? This locution, imported from contemporary political discourse, no doubt, irritates me to no end. Why not just say what you mean--namely: "changes its (or, in the case of persons, his/her) mind"? Or is this neologism supposed to mean something else that I'm not aware of (I doubt it, but who knows)?

Re:

[Lord Bitman]

The phrase "flip-flops" officially died the first time one pundit quoted another by using it without attributing the source. Same with quagmire. These are now gone from the English language. Please do not use them.

It's a philosophical bug nonetheless..

[zukinux]

If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs?
I'd say, both.

Hmmm.... and I was modded as Troll

[foniksonik]

I just stated this on the Adobe vulnerability story.... clickie to see the irony [slashdot.org]

My post:

"Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is."

Replies:

"From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can kn

What, me worry?

[angus_rg]

Is anyone surprised that a big business swears there is no problem until they have a solution.

Re:

[TT076659]

A company says "We offer the best in security to ensure the protection of your business without any problems".

Few weeks later..

The company says "We have discovered an issue with bla bla bla, please visit bla bla bla to get the update".

The terms `flip-flop` and `Microsoft` together?

[octaene]

Usually, the terms `flip-flop` and `Microsoft` together in a sentence bring out the MS-bashers and Linux advocates. But to be frank, this is a good thing for Microsoft to do. Their previous argument was pretty solid, because how are Microsoft to anticipate each and every URL registration made by a third-party application writer? Answer: they can't.

So by now admitting to plans to write a more strict handling routine for the shell URI interpreter, Microsoft is not kowtowing to pressure from the free mark