| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
IE vs. Mozilla on the Shell Hole—Whose Bug Is It? | |
|
||
| Time: 14:29 EST/19:29 GMT | News Source: eWeek | Posted By: Jonathan Tigner | ||
|
Opinion: Mozilla exposed the scheme, opened the hole. Now it's a debate in security circles. But the only way this is a vulnerability in Windows is if it's a vulnerability for a shell to be able to run programs. In the wake of last week's revelation of a security hole in Mozilla that allows the execution of arbitrary programs on the client system a philosophical debate has emerged: Is this a bug in Mozilla or a bug in Windows? I think the argument is that Windows should prevent the shell scheme from executing programs, but this isn't a job for Windows. This is a job for the browser. All Windows is doing in the case of what was just patched in Mozilla is taking an instruction to run a program and running it. If the browser didn't ask for it, it wouldn't happen. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 158 Last | Next |
The time now is
6:23:28 PM
ET.
Any comment problems? E-mail us |
| #1 By 21203 (208.252.96.195) at 7/12/2004 3:40:04 PM |
|
Bingo! (3rd paragraph)
Programs launching programs isn't a bad thing. Unix and Windows both do it. Unix tends to do it in a much more restricted space though. Windows users tend to run as Admin. Big deal. That's just "the way it is". SP2 will change that to a degree, which is a good thing, but that isn't the point: Firefox is a browser. To have a URL line that launches another program isn't a flaw with the OS, but rather a flaw with the design of the browser. For example: If I put in a command "format://" as usable in the URL line of the browser, and it launched the "format" program with all parameters after the "://", would you say that's a flaw with the OS? Hell no. Why did the browser allow that line? Why did it take that line and use it to launch that program? Firefox did one better. They allowed the "shell://" command which allowed the OS to interpret the entire command after the "shell". So instead of using the in-program interpreters for MP3 files or AVI files as part of the Firefox config, you could just type in "shell:.mp3" and it would launch whatever your MP3 player was. The fix? Remove the interpretation of "shell://". What did it break? Nothing, because it was stupid to have put it in in the first place. You could still have external programs launched, but they would be referenced by a "http://........whatever.mp3" which is a valid URL syntax (scuse my dots) and interpreted and configured and allowed via the browser and not an automatically launched program. |
| #2 By 2960 (156.80.64.137) at 7/12/2004 3:42:50 PM |
|
Wait, back the truck up :)
Should Windows even ALLOW the Browser to do this in the first place? TL |
| #3 By 135 (209.180.28.6) at 7/12/2004 3:43:35 PM |
|
It's interesting to note that the Mozilla Developers are not nearly as stupid as the Mozilla Zealots. Usually Zealots parrot a corporate line, but in this case the Developers said "This is a bug in our code" and the Zealots instead refused to recognize the fault and tried to redirect the blame towards Microsoft.
|
| #4 By 116 (24.173.215.234) at 7/12/2004 3:56:58 PM |
|
A browser is just like any other application. It shouldn't be Windows job to write Mozilla's browser software for them. This would be just like me writing an application for a calculator and telling my app to open notepad using the shell command.
How is mozilla any different from any other normal windows application? This was definitely a bug in Mozilla's software and soda you are exactly right. The zealots just really don't want to admit it. And BTW if it wasn't a bug in Mozilla then why did the Mozilla foundation issue a patch??? |
| #5 By 7797 (63.76.44.200) at 7/12/2004 4:41:58 PM |
|
"Should Windows even ALLOW the Browser to do this in the first place?"
Exactly my thoughts. As you can see some of the people here seem to think "YES". Microsoft thinks NO and is fixing it with SP2. So Microsoft concedes that its a Windows design flaw yet the people in this forum keep arguing about it anyways. |
| #6 By 116 (24.173.215.234) at 7/12/2004 4:53:11 PM |
|
And TGNB still chooses to stare blankly into his koolaid.
NO and BS! This is a Mozilla design hole which even the Mozilla devs agree. Read the flipping article! |
| #7 By 7797 (63.76.44.200) at 7/12/2004 5:11:15 PM |
| So microsoft fixed a mozilla flaw in SP2? |
| #8 By 135 (209.180.28.6) at 7/12/2004 5:14:20 PM |
|
It appears that tgnb and Halcyon are now advocating that Microsoft should incorporate a patch to prevent software not written by Microsoft, such as Mozilla, from running at all.
It's interesting how the mind twists and turns in the wind of Zealotry. |
| #9 By 7797 (63.76.44.200) at 7/12/2004 5:27:51 PM |
|
RedAvenger: "Read the flipping article!"
First of all the article is an opinion piece and not fact. Secondly he says: "I've seen some claim that the fact that SP2 is so merciless with shell: links is proof Microsoft knows there was a problem in Windows, that what was really fixed was the browser, not Windows. Remember, it's the browser's behavior that's changed in SP2, disabling the links completely." The only hook he forgets here is that the browser is so tightly integrated into windows that its part of the OS and not just another 3rd party software like another webbrowser. In essence explorer IS IE. |
| #10 By 7797 (63.76.44.200) at 7/12/2004 5:43:02 PM |
|
" It appears that tgnb and Halcyon are now advocating that Microsoft should incorporate a patch to prevent software not written by Microsoft, such as Mozilla, from running at all."
I am talking about something Microsoft DID fix. Not something they SHOULD fix. |
| #11 By 116 (24.173.215.234) at 7/12/2004 6:12:41 PM |
|
Dude you are nuts... Sorry I said it and yes I am calling you names.
I don't see how you can argue when its so black and white. Go talk to the Moz devs if you don't believe me. Bottom line its an issue with Moz which they patched. You do know that Moz released a patch for this right? If it was a bug with Windows why wouldn't MS patch it? Bottom line, dumb design decision from the Moz team who were talking about this 2 years ago, had it pointed out to them that it was stupid, and just recently found an exploit in the wild so they decide to fix it. Go talk to the Moz developers and ask them point blank. Is this a bug with moz or Windows. See what they tell you. |
| #12 By 2332 (66.228.91.12) at 7/12/2004 6:49:07 PM |
|
It happens in a bunch of MS products as well:
http://www.infoworld.com/article/04/07/12/HNmicromozilla_1.html |
| #13 By 116 (24.173.215.234) at 7/12/2004 8:23:25 PM |
|
Bunch of ms products meaning two... Funny my definition is usually higher than at best a couple!
I would like to see the actual vulnerabilities before commenting further but it would be much harder to exploit just due to the nature for how messenger and word operate. It is ridiculously easy to exploit this through firefox. It is not exploitable on IE. Halcyon, give me a break dude. Sheesh. This post was edited by RedAvenger on Monday, July 12, 2004 at 20:23. |
| #14 By 12071 (203.185.215.149) at 7/12/2004 9:07:12 PM |
|
#15 Thanks for the link, I must say I love the title on it! All these products are vulnerable to Mozilla's bug =) Damn Mozilla! They put their bugs all over the place for Microsoft to trip up on!
#18 Who cares if it's harder, easier etc... You should be asking... No I'll rephrase, you should be explaining to all of us how this Mozilla bug (after all you said it wasn't a Windows nor IE bug) is affecting Microsoft products! |
| #15 By 12071 (203.185.215.149) at 7/12/2004 9:20:20 PM |
|
#21 "Which is safer, if even marginally so?"
That's a rhetorical question and I'm not disagreeing with you as to which is marginally the safer option. But does that change where the fault lies? How is this a Mozilla only bug if all these other Microsoft products are vulnerable to exactly the same thing? And comments like "And BTW if it wasn't a bug in Mozilla then why did the Mozilla foundation issue a patch???" from RedAvenger only serve to show his true ignorance on the subject. He's obviously never heard of developers/vendors releasing work-arounds for bugs that are outside of their control! |
| #16 By 116 (24.173.215.234) at 7/13/2004 12:00:17 AM |
|
Whatever you say Chris... I just tried the supposed exploit from Word 2003 and MSN messenger and guess what?
THEY DONT WORK!!! So I guess my point is taken right? Also the dude who posted this to Full Disclosure is a complete prick. By his own words he states that he only posted it because he was upset that moz had egg on its face. These are great people. |
| #17 By 21203 (4.5.32.137) at 7/13/2004 3:23:22 AM |
|
An application launching another application WAS status quo for Windows XP pre-SP2.
Microsoft recongnizes that this is a potential vulnerability so is reducing the surface attack area in this regard (local machine rights on applications vs user rights). Microsoft isn't "fixing a bug" so much as "improving security". Mozilla was written for the "status quo" Windows (pre-SP2) and had the shell:// command viable, which in turn allowed the launching of programs. So yes, you can say that it was a windows security problem, but it was potentially available in all programs. But any programmer who did it, you would say was being sloppy. Mozilla is not untouchable in this regard. (edit) #16, you are absolutely right. You sound like you have a much better grasp on the techno stuff than I do, but I think I'm basically correct... I hope. This post was edited by mram on Tuesday, July 13, 2004 at 03:25. |
| #18 By 16451 (67.131.75.3) at 7/13/2004 11:03:10 AM |
| Well, things are moving on. It was just reported that both MSN Messenger and Word are subject to this same exploit mechanism. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 158 Last | Next |
The time now is
6:23:28 PM
ET.
Any comment problems? E-mail us |
