Unofficial Patch For Windows URI Hole

dg2fer writes "For more than two months, the vulnerability of parsing URIs has been known for a number of Windows programs, including Outlook, Adobe Reader, IRC clients, and many more. Microsoft admitted the vulnerability only last week. The latest Microsoft patches published on October's Patch Tuesday did not include a solution, so hackers have taken on the problem themselves. One, KJK::Hyperion, has published (as open source) an unofficial patch that cleans up the critical parameters of URI system calls before calling the vulnerable Windows system function."

Re:Well...

[gQuigs]

Yup. http://www.reactos.org/en/index.html [reactos.org]

Re:Well...

[Xtravar]

I would mod this up, but I think I should explain why it's not off-topic instead.
The guy who wrote this patch actually works on ReactOS. http://www.reactos.org/wiki/index.php/KJK::Hyperion [reactos.org]

I knew I remembered the name from somewhere.

Re:

[tt077183]

Microsoft developers are someone that knows how Windows works too, however occasionally they will release a patch that will break stuff under some scenarios. There is a HUGE test coverage that one would have to run to make sure the patch is not going to break HUGE amount of people. MS software is used in combination with all sorts of software, hardware etc. Even ib Bill Gates wrote the fix himself (or substitute Bill's name for whoever from MS you think knows Windows best), I am not sure I'd put it anywher

What is Microsoft's reason for silence?

[jkrise]

They have admitted belatedly that IE7 on XP is broken; and that it is a very serious threat to security. So what prevents them from releasing a patch right away?

Is this vulnerability used / proposed to be used to make non-genuine Windows XP machines running IE7 unusable? Remember the unapproved, illegal stealth update that broke patching after a 'system restore'? Microsoft's continued silence is very intriguing.

Re:

[dattaway]

So what prevents them from releasing a patch right away?

Millions of dollars in research takes time.

Re:What is Microsoft's reason for silence?

[jkrise]

Millions of dollars in research takes time.

But the problem is peculiar to IE7 and XP, NOT IE7 under Vista. This means that the billion dollar research has actually been completed, and that Vista includes the protection mechanism. Since IE7 was released after XP, it clearly indicates that this flaw has been on purpose; with some possible ulterior motive.

Already, trust has been lost with the stealth update of XP; now with IE7 being forced as a Critical Patch despite the broken security model; the mistrust is complete.

What Microsoft considers to be a critical patch is actually a cripppling security hazard! How ironic!!

Re:What is Microsoft's reason for silence?

[BitZtream]

Just because you can tell it effects one OS and not the other doesn't mean they know why or even intentionally fixed it in the new OS.

The function with the problem is now considered part of the core OS in XP and not really part of IE anymore, even though IE updates often included updates to it, its more port of a common set of Internet related libraries which many applications use.

Because MANY applications use this library, making changes to it without evaluating what will happen to the many applications that use it could result in a lot of broken applications. Microsoft doesn't want to piss off a bunch of users by fixing a security flaw that will effectively break a lot of stupid apps that were also not written properly. As the open source patch page says, apps will break with they way it is done, so MS will take some more time and try to fix the problem in a way that doesn't bork everybody.

This is in contrast to the way the open source community would typically handle a problem such as this. Someone would patch the offending library, and any app that broke along the way (which is also likely to be open source since the user is already using open source applications/OSes) can also be patched as needed. The original authors typically would spend less time worrying about backwards compatibility issues and just break those apps in favor of security.

When you are dealing with an arena where most of the users A) use closed source apps B) don't watch for updates to their applications, let alone install them as soon as they come out. C) generally don't care about such issues until it effects them, D) get rather pissed off when a subtle change applied in an automatic update they automatically installed breaks applications when they see no relationship with. Then it makes sense to take your time and fix the problem and maintain as much backwards compatibility as possible, so users don't experience issues. I wish more open source developers would learn this. Any project with some age to it generally understands it, but plenty of new/small OSS libraries have no concept of backwards compatibility and/or the fact that fixing bugs should not break compatibility if there is any possible way to avoid it.

Its ignorant to think the core libraries which contain the ShellExecute function are the same in Vista and XP for so many reasons its not even funny. They are rather tightly linked into many parts of the OS, the main one that comes to mind is the registry. The simple fact that registry permissions are a lot different in Vista compared to XP probably resulted in a major refactoring of the function. If you understood how the function actually achieved its goals in the first place, you'd understand that its likely to have changed drastically in Vista and as such problem doesn't actually fix the problem directly, but as a side effect of other changes. Or, it could just be that the problem is different in Vista in such a way that it manifests itself differently.

I have no love for many of the things MS with Windows for a multitude of reasons. However, you're logic for bashing them here is ignorant at best. You have no concept of large scale software development or you would probably understand how this could show up in major OS revision and not in the next, and no understanding of where the function belongs in the system as a whole.

As a final thought though, by this point in time, the should have come up with a way to fix it with as little pain as possible, or admit defeat and break the apps that don't handle URLS properly anyway.

Re:What is Microsoft's reason for silence?

[NatasRevol]

Microsoft doesn't want to piss off a bunch of users by fixing a security flaw that will effectively break a lot of stupid apps that were also not written properly.

I don't know why, but that cracks me up. Not arguing with you at all, but it is funny that MS cares more about the apps than security. And it explains a lot of their issues.

Re:

[rbochan]

"Not arguing with you at all, but it is funny that MS cares more about the app^H^H^H marketing than security. And it explains a lot of their issues." There. Fixed that for you.

Re:

[mr_mischief]

To Microsoft, apps are marketing. People know Windows isn't that great. Even most people with little clue that there are alternatives know that Windows sucks. What they don't know is how to do the things on other systems they can do on Windows. The apps are different. They're sometimes harder to install (but sometimes, IMO, easier) on some of the alternatives. Sometimes you can't find a suitable alternative at all. There are training issues and issues with re-acquiring things already bought. There's data tr

It's all about the benjamins.

[typicallyterrific]

Microsoft isn't in the business of selling security, it's in the business of selling a platform you can run your apps on (and, well, office too).

They'd be incredibly silly if they didn't bend over backwards to make sure no apps get broken 'cos of these patches. If your mission-critical XYZ app suddenly stops working, you have every right to be pissed off!

(whereas mission-critical XYZ could also be called "that photo sharing app grandma learned how to use five years ago".)

Re:

[zairi5811]

MS cares more about apps than security because they only thinks about how to fight against software piracy..

Re:

[rk075906]

it's a karma, when you doing something for profit and not for good deeds, you'll face problem.

Re:

[rk075906]

Never trust an operating system you don't have sources for.

Re:

[aman534]

Microsft will facing a problem of losing their user if they keep on silence about this issues... they should respect and care about users who keep on supporting them...It looks like they have to fix the problem before things become worse...

Re:

[HalAtWork]

They could care about both if they released documentation for all API calls so that developers would know what type of behaviour to expect from certain calls. They don't, so developers program according to the behaviour they see, and they have no way of knowing if it doesn't work properly. If MS would release documentation, then they could fix it and the only stupid apps would be ones where developers did not look at the documentation at all.

Re:

[BitZtream]

This particular item is documented in the Platform SDK. Documentation has bugs as well. In this case, the documentation is fine, the implementation is bad. MANY developers who write software simply don't know jack shit about security issues, no amount of documentation in the world is going to fix the guy/girl who wants to get their app out the door tonight, and can't be bothered to read the 'Security Note:' section attached to the documentation or in this cause, read the information related to how the fu

Re:

[faloi]

Don't give Microsoft so much credit. It's possible that they got lucky, essentially, in having Vista not be affected because of any number of changes made in the core of the OS. I don't trust Microsoft, and I also don't think they're crafty enough to come up with this as part of a master plan. Coming up with it through stupidity and lack of planning and communication across groups internally, I'd believe.

Re:

[Paradigm_Complex]

Are you serious proposing IE6 is/was more secure than IE7? MS lost my trust long, long before the stealth update issue, but having IE7 as a "critical" patch doesn't really seem to be that bad of an idea. Now, leaving such a hole in it for so long fits the MS MO that lost my trust in the first place.

Re:What is Microsoft's reason for silence?

[xlsior]

Since IE7 was released after XP, it clearly indicates that this flaw has been on purpose; with some possible ulterior motive.

Never ascribe to malice, that which can be explained by incompetence.

Since the sytem core is different on XP vs. Vista, it's quite likely that there are differences in how IE7 interacts with XP than it does with Vista. It's not impossible that a genuine bug only affects the XP interaction but not Vista.

Re:

[nor_fariza]

Now i know why IE7 intermittently crashes my XP.Darn it.
I'm not sure how many time patches after patches to make this work. And previously, a security patch for pdf files which also link to IE7, and now this.They should just say IE7 is only for Vista, and MS build it through Vista's development.MS should be more transparent in admitting their problem rather than just releasing patches after patches which is rather tiring I must say.

Since the sytem core is different on XP vs. Vista, it's quite likely that there are differences in how IE7 interacts with XP than it does with Vista. It's not impossible that a genuine bug only affects the XP interaction but not Vista.

I have to agree with this.How can the same browser interact with a dif

Re:

[TT077141]

vista is good, because it encourage us to use an original software rather than using a pirated copy. It will prevent us from attacked by malicious program. Security is much more better than Microsoft XP. Good job!

Re:

[CCFreak2K]

My wild guess is that they're testing the patch. Remember that it's going to be deployed to many thousands, tens of thousands, however many systems, so they gotta make sure it works. Otherwise, there'll be a lot hosed boxes.

Of course, that could indeed not be the case at all...

Espionage rental income

[SpaceLifeForm]

It will be fixed next patch tuesday.
Until then, those that rented the hole will get
what they paid for.

Re:

[rk075906]

Microsoft need someone else to clean their fault on their software but they still want us to pay for their software. Sometimes I don't understand why my university make collaboration with Microsoft if they have so many security issues

Re:

[rk075906]

http://www.frsirt.com/english/advisories/2007/3182 [frsirt.com]. More and latest vulnerabilities about microsoft

I don't understand the logic

[BadAnalogyGuy]

I understand patching holes in Linux. There's no one out there who is going to hold you responsible if you release the patch for free and say install at your own risk. However, if you put out a patch for a closed source system, you run the risk of not only breaking some unexpected functionality, but also make your users susceptible to having their systems determined to be WGA-noncompliant. You run the risk of essentially breaking peoples' computers for what?

Yes, the risk is real and it sucks. But it's not your responsibility to fix Microsoft's holes. Once you do take on that responsibility, are you also willing to face the consequences when your users blame you for their license revocation?

Sure it won't happen this time, and maybe you'll dodge the bullet a few more times, but when the day comes that you've crossed over the line too far, will having fixed Microsoft's problems really been all that great?

Re:

[spleen_blender]

rtfa Now, a hacker with the pseudonym KJK::Hyperion has published a provisional and, needless to say, highly unofficial patch that tries to clean up the call parameters in the handling of the vulnerable Windows function ShellExecute(). But as the developer himself warns, "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever..."

Re:

[jkrise]

But it's not your responsibility to fix Microsoft's holes. Once you do take on that responsibility, are you also willing to face the consequences when your users blame you for their license revocation?

Fixing Microsoft-created holes is the basic reason why anti-virus firms exist; and why they do such roaring business; and also why they are trusted MORE than Microsoft, which makes the underlying crappy OS.

What is the worst that can happen when WGA fails? If the user gets no further updates from Microsoft..

Re:

[plague3106]

Ya, its too bad that when MS does want to fix a big problem that the same AV people bitch and complain that it would "kill" thier market, so MS is forced to leave holes in there. I can see why you trust them.. wait, I can't.

Considering that AV software sucks so bad I believe it was causing blue screens in Vista, or when it is working "properly" it slows down the computer noticably. Norton and McAfee are both steaming piles..

Re:

[cHiphead]

Thats a common misconception, the 'killing' of the AV market was done on purpose b/c MS say another place they could 'leverage' their "IP". You can't trust anyone, most of all MS.

SAV/eTrust/McAffee/etc. with their real time scanners essentially use fancy hacks to work. Microsoft's decision to shut them out in Vista essentially forced them to find another hack for it, just like the virus writers will eventually do themselves. Its cat and mouse. Locking out security companies with the economic scale to put

Re:

[plague3106]

So the common misperception is that you take what MS says and immediately think of some other idea that fits your agenda? Is that basically what you're saying?

Maybe you need to read the articles again, because the AV people didn't find another way to 'hack' around anything in Vista, MS changed Vista so that they could continue to operate as normal.

Re:

[cHiphead]

Pardon me for not being more verbose and in a hurry, they were in the process and had working but unstable versions testing in Vista before MS made the changes you refer too. Doesn't change the overall substance of my response.

Re:

[plague3106]

It does change things a bit, but perhaps they way they would have been forced to work would have allowed Vista to be more secure, but still allow AV to function. If they really work working on a solution, why the outcry about the changes in Vista?

Re:

[BitZtream]

This is such an ignorant statement on so many levels.

First off, this message problems sounds insulting to non-MS based OSes, its not meant to be, I prefer FreeBSD and OSX myself.

Don't confuse your 's lack of a massive user base with the reason Windows is the target of so many viruses.

Regardless of what you think about your OS (whatever you may use) it is STILL capable of getting infected by a virus. Traditionally, Windows users (due to lack of intelligent design by MS) typically run everything at elevated

Re:

[memodude]

Also, don't forget that the Vista feature everybody loves to bitch about, UAC, is the one that causes normal apps to run with ordinary non-admin privileges.

Re:

[drsmithy]

Fixing Microsoft-created holes is the basic reason why anti-virus firms exist; and why they do such roaring business; and also why they are trusted MORE than Microsoft, which makes the underlying crappy OS.

Anti-virus programs don't "fix holes" in the OS, they fix holes in the *user*.

Re:

[TT077141]

nowadays, its very difficult to find very effective anti-virus. which one would you say, best anti-virus? our programs are easily attacked by malicious program. Unless Microsoft help us to create a new anti-virus which is suit to its application.

Re:

[pembo13]

I don't understand the logic either. It's not like Microsoft fixes these things out of the goodness of their own hearts. They are responsible for it as far as I understand.

Re:

[Yvanhoe]

And that has always been a great incentive for them to fix bugs in the past

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[KJKHyperion]

It's a memory-only patch, and it hooks the vulnerable function using a standard, documented method (that was made obsolescent in Vista, but Vista isn't vulnerable in the first place). Apart from the horrible bugs that are entirely my own damn fault, nobody will care or know that my patch is installed on a system (unless they go look for it). It doesn't even address the vulnerability directly, it just prevents the vulnerable function from ever seeing an abnormal URL. Basically, I did it because I could, and

Re:

[BadAnalogyGuy]

I can appreciate the work and effort you put into creating this patch, and I don't discount either your goodwill in creating it or your "thrill of the hack".

How far would you be willing to go to fix an MS hole? Would you stop at the API level? Make calls to undocumented library functions? Replace a faulty DLL?

Re:

[baadger]

> For now it's just another post on Full Disclosure [seclists.org], I will give it a better home one day.
> I wish Mozilla used something like this instead of the messy code they have now

Where is the Mozilla code in question? Maybe someone can file a bug and/or patch?

Re:

[squallbsr]

I don't understand how this 'patch' would cause WGA to fail, as this is just a hook into the system that cleans up a call to ShellExecute(). It isn't like a patch to an existing DLL or something that would cause checksums to fail on your system.

Anyway, I'm glad to see that somebody tried to do something because of Microsoft's inaction. There are people out there that are forced to use Windows and this patch could definitely help hold them over until Microsoft gets their crap together. This patch just r

Re:

[waveclaw]

I understand patching holes in Linux. There's no one out there who is going to hold you responsible if you release the patch for free and say install at your own risk.

At a seminar recently the speaker summed up proprietary software with a simple quote:

"Hardware comes with a warranty. Software comes with a disclaimer."

However, if you put out a patch for a closed source system, you run the risk of not only breaking some unexpected functionality, but also make your users susceptible to having their systems d

Re:

[drsmithy]

"Hardware comes with a warranty. Software comes with a disclaimer."

This does not change the fact that there are very real and tangible consequences for a fix to proprietry software that causes extensive breakage (lost customers and, more importantly, revenue), whereas the consequences for the same in the cowboy-esque OSS world have little impact outside the developer's ego.

Your software might not come with a warranty, but if enough people stop paying for it, rest assured that the vendor will take notice

Re:

[oyenstikker]

Ooh, the Storm-infected one has that blinking red HDD light. Pretty!

Re:

[Paradigm_Complex]

So long as their primary goal is cash-monies and they still hold their status as a monopoly, it's within their best interest to retain their closed model and let the people forced to stick with them bite the bullet. If they cared about their customers, well, yeah open source is the way to go.

Re:

[rk075906]

windows new slogan. How do you want to crash today?

It's a philosophical bug nonetheless..

[zukinux]

If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs? I'd say, both.

Re:

[hesaigo999ca]

I'm sorry to say, it's all MS's fault. There is no qualms about this one, set out a patch to disable your system restore, then set up an app IE7 that is broken on the old system, too many
coincidences for me, I have the latest patch for microsoft, although you need to do some install, here is the link at http://www.ubuntu_save_me_from_ms.com/ [ubuntusavemefromms.com] ....unfortunately I develop for windows platform, and use .NET extensively, but I am tired of seeing MS get away with these tactics...
whenever I can I try to push compa

Re:

[TT077141]

i'll say Program B is in fault because Program B suppose to do its work by preventing malicious program from attacking which has been allowed by Program A.

Re:

[zukinux]

Then you think it's Firefox's bug?
I'm still not sure.

WHY?

[MBHkewl]

Why should ANYONE release a patch for Microsoft (regardless of their application)?
You ARE a paying user, and you SHOULD get the "quality" service you deserve. Isn't why the OS costs money?

I applaud those who have taken action & even more released the code as open source; it only shows the good hearts of the open source community, but as others mentioned, you may break something, in this very unstable OS, and you'll be the ones to blame, rather being thanked for saving the users' money, identity & privacy.

Re:

[zairi5811]

maybe one day microsoft should use the term "best effort" to represent their service for customers

Re:

[KJKHyperion]

I hear that all too often. Personally, I think sense of entitlement has already done enough damage to IT security: there is this whole cottage industry of blackmailing services thriving on it, and despite it paying part of my rent, it only feels right and just to sabotage it.

I would have made the patch for myself anyway (it wouldn't have been the first), releasing it as open source was just the icing. I didn't do it for any particular reason other than the obvious: I want to be protected, and I can protect

Re:

[it072312]

i think he should be paid....come on bill you can afford it

Re:

[aman534]

well, it's a good idea if someone can release a patch for Microsoft BUT it looks like this idea won't works at all because Microsoft do not belong to the open source community... :(

Re:

[aman534]

It's a good idea if someone can release a patch for Microsoft (regardless of their application). However, it looks like this idea won't work because Microsoft does not belong to the Open source community :( Besides, I keep on wondering why Microsoft cares more about the application than security.... Just hope that they can solve this problem one day...

Hole in the Patch for the Windows URI Hole

[dg2fer]

The author of the Patch for the Windows URI Hole, KJK::Hyperion, found a big bug in his patch for the Windows URI hole. "I just found a gruesome memory leak in it. A silly bug, brown paperbag-grade shame."

According to the article on heise security [heise-security.co.uk] he did already publish [xepher.net] a bugfix version of his patch -- hoping the best it's not buggy again.

Re:

[Frosty Piss]

Hahhaaaha ha ha... Should you really be trusting patches from "unknown" sources? Come on!

Re:

[Frosty Piss]

When the patch includes source, why not? Just check the source a bit and recompile (ignore the prebuilt binary) :)

Why yes, of course. We're all Windows source code experts! Hell, why bother with someone elses patch at all? Do it the GNU / Open Source way, just write it ourselves!

Fingers in my ears

[Mikey-San]

I really don't want to hear about anyone's URI hole. Ew.

Appropriate subject line

[Cctoide]

But you put your fingers in your ears! Ew!

Re:

[Eliman]

The best way I can come up with for reading the subject line is "Unofficial patch for ur eye hole" which to me sounds like Microsoft is trying to make pirates out of the lot of us.

Recurse

[piotrr]

I find it hilarious that the unofficial fix linked has been updated to version 1.1 to fix a memory leak.

Re:

[Cro Magnon]

Well, at least the patch is getting fixed quicker than the hole.

Microsoft may have a bad track record

[kasperd]

But unofficial patches for closed source software have a worse track record. I recall some other case where IE had a tiny little information leak. Somebody then released a "patch" for that, which not only was an ugly hack, but at the same time introduced a buffer overflow which was a lot worse than the original bug. The "patch" came with source, but AFAIR the license did not permit you to fix the bug in the "patch".

Introducing a much worse security hole when fixing a minor security hole is the kind of thing that can happen when you write code without getting it reviewed. Any decent code review would have caught that bug. And that is not the real reason third party "patches" for closed source software is a bad idea.

The correct way to fix a bug in any piece of software is to take the source, fix the bug, and recompile. No third party can do that for a closed source product, which is why that approach is never going to be good for the users.