| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
IE7/Firefox URI Handling Bug Caused by Windows After All | |
|
||
| Time: 00:32 EST/05:32 GMT | News Source: BetaNews | Posted By: Kenneth van Surksum | ||
|
An exploitable bug discovered earlier this month that was first believed to have been caused by Internet Explorer 7.0, before Mozilla was forced to admit that it afflicted Firefox as well, has apparently been traced back to a Windows API function. The discovery may have been first revealed through the US-CERT Web site of the Dept. of Homeland Security, which now classifies it as a "Microsoft Windows URI protocol handling vulnerability." The function in question is an old favorite of malware writers: ShellExecute(), which was the subject of a notorious Windows 2000 exploit four years ago. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 467 Last | Next |
The time now is
4:41:02 PM
ET.
Any comment problems? E-mail us |
| #1 By 45754 (164.140.159.143) at 7/31/2007 12:45:42 AM |
| Ping...Pong ??? |
| #2 By 32132 (66.183.202.89) at 7/31/2007 1:23:06 AM |
|
"Microsoft Windows may incorrectly determine the appropriate application to handle a protocol."
WHAT????? How idiotic. Firefox registered the URI handler and told WIndows to send URI's with FIREFOX:// in front of them to Firefox. This is stupid. http://msdn2.microsoft.com/en-us/library/ms647732.aspx "The flags that specify how an application is to be displayed when it is opened. If lpFile specifies a document file, the flag is simply passed to the associated application. It is up to the application to decide how to handle it." |
| #3 By 15406 (216.191.227.68) at 7/31/2007 8:29:01 AM |
|
Sweet. The truth finally comes out. Welcome to the ABM crowd, Parkkker. Too bad you only join when there's blame afoot. This post was edited by Latch on Tuesday, July 31, 2007 at 08:31. |
| #4 By 23275 (24.179.4.158) at 7/31/2007 8:32:22 AM |
| #2 Surely you get it by now... FF is the end all when it comes to online security and where it does have flaws, they are Microsoft's fault, entirely - or so say the undergrad students of the Joseph Goebell's school of technical journalism... |
| #5 By 15406 (216.191.227.68) at 7/31/2007 9:46:59 AM |
| #4: Wow, 4 posts and Godwin's Law has already been invoked. I sense another story coming about trudging along the banks of the Rhine in 1918, carrying 4 of your wounded buddies on your back. Only the rich ecosystem of Vista prevented Europe from falling into the hands of the Nazis. |
| #6 By 23275 (24.179.4.158) at 7/31/2007 9:54:51 AM |
|
#5, Well... if it's not the Reich's Minister of FOSS/OSS propaganda himself... Good Morning, Herr Minister. This post was edited by lketchum on Tuesday, July 31, 2007 at 10:08. |
| #7 By 32132 (66.183.202.89) at 7/31/2007 10:09:39 AM |
| #4, #6 Too over the top. Latch gets coffee for people. He can't be expected to actually read and understand an API spec. Neither, it seems, can Firefox programmers. Or apologists. |
| #8 By 32132 (66.183.202.89) at 7/31/2007 10:10:55 AM |
| Its really too bad US-CERT has embarrased itself to the point where it cannot be trusted. |
| #9 By 15406 (216.191.227.68) at 7/31/2007 10:26:32 AM |
|
#6: Smells like Freudian projection to me.
#8: Yes, the entire world is out of order except you, Ketchum and Microsoft. CERT must have been compromised by cancerous Communists with open sores, or they're calling it as they see it -- one of the two. |
| #10 By 32132 (142.32.208.232) at 7/31/2007 10:47:10 AM |
|
#9 I quote from the US-CERT advisory:
"IMPACT: Microsoft Windows may incorrectly determine the appropriate application to handle a protocol. For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands." Since when does the above have anything to do with what is being discussed? This post was edited by NotParker on Tuesday, July 31, 2007 at 10:47. |
| #11 By 23275 (24.179.4.158) at 7/31/2007 10:50:49 AM |
|
#9, No, Latch, just extremists like yourself that have nothing better to do than hit Windows sites [nope - can't point your finger back at me... remember, I work on behalf of the site].
By the way... how many times have we to tell you... "no decaf!" **I mean, Brah, we just can't take you seriously any longer... so we're not going to... and that is the heap upon which you have tossed yourself - so extreme - so consistently that we just can attach any import, or relevance to your comments any longer. That is exactly what happens to those on the left - people signing the front sides of checks recognize the noises you make for what they are, "noise." |
| #12 By 135 (209.180.28.6) at 7/31/2007 11:23:24 AM |
|
Looks like someone here suffers from Firefox Derangement Syndrome.
|
| #13 By 13030 (198.22.121.110) at 7/31/2007 11:28:38 AM |
|
The zealots appear to be resorting to deflection and distraction tactics at this point. NotParker is harvesting API links as if they explain the problem, lketchum has crossed "forbidden" forum line by introducing a Nazi reference, latch comes back with one of his more humorous replies, and the whole thing tailspins into silliness. (I love this place.)
The CERT Vulnerability Note VU#403150 (http://www.kb.cert.org/vuls/id/403150) and the first comment on the news story site by "kruador" may explain the problem. The key point here is the URL encoding and decoding that is taking place under the covers of the ShellExecute series of functions. With IE7, the "escaping" of critical characters, such as the apostrophe, is where the problem can manifest itself. My guess is that Microsoft, in its attempts to make the browser and the OS inseparable, seems to have the ShellExecute API making use of an IE library function that functions differently with IE7. |
| #14 By 10748 (134.187.163.50) at 7/31/2007 12:37:09 PM |
|
#6 *applause* ...
Sodablue??? I thought you dropped off the face of the earth... this thread is a reunion! |
| #15 By 15406 (216.191.227.68) at 7/31/2007 2:10:37 PM |
|
#11: Hey, if you & your bud Parkkker don't want to take me seriously, I'll have to find a shrink and go into therapy. After all, validation from the two of you is the only thing getting me through each day.
fyi I stopped taking the opinions of you two Windows cheerleaders seriously a long time ago but I don't feel the need to announce it like I'm some self-important a-hole. What exactly is an extremist in this context, and how would it differentiate me from you? |
| #16 By 32132 (142.32.208.232) at 7/31/2007 2:48:00 PM |
|
Even the Mozilla programmers agree with me:
https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c30 "As someone pointed out via email, we don't handle these web protocol handlers correctly." And how do they deal with it? They pay attention to the API's. https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c37 "This is purely an experimental patch that avoids major changes by vetting URI through the newer CreateUri available post IE7. " |
| #17 By 32132 (142.32.208.232) at 7/31/2007 2:49:55 PM |
|
And what happens when you read CreateURI:
"Warning Legacy file scheme URIs should be used only with legacy APIs that will not accept healthy file scheme URIs. Legacy file scheme URIs do not allow for percent-encoded octets, which can lead to ambiguity. Therefore, legacy file scheme URIs should not be used unless absolutely necessary." http://msdn2.microsoft.com/en-us/library/ms775098.aspx |
| #18 By 32132 (142.32.208.232) at 7/31/2007 2:51:39 PM |
|
#15 "After all, validation from the two of you is the only thing getting me through each day."
Bullsh*t. Spewing hate and vitriol is what gets you through the day. You are a sick addict. ch and Kabuki are no different. |
| #19 By 15406 (216.191.227.68) at 7/31/2007 3:13:32 PM |
|
http://en.wikipedia.org/wiki/Psychological_projection
|
| #20 By 23275 (24.179.4.158) at 7/31/2007 3:15:16 PM |
|
Latch, you can be a lot of fun - don't spoil it by "really" getting mad. It's just software...
And yes, it is as fun to get you going as it may be for you to get me going. That all said, you gotta admit, there is a difference... here goes... we use Microsoft software and we and our customers benefit from it - hence our participation here... to learn share and poke fun at one another [on occasion]. This is not a *nix centric site - and there is the difference - you and I are here for different reasons and you won't find me on *nix centric sites bashing Unix, or Linux - which we do use - again, a difference between us - we actually do use *nix and Vista and other MS software. You don't seem to use both and your not an MS user/advocate, admin, or dev... surely you can see the difference is relevance. Again, it's still fun to read what you say and even more so to leverage it and watch you come back - I wouldn't dish it if I couldn't take it... so swing away as you do. Just have some fun once in a while - it seems sometimes you don't. |
| #21 By 32132 (142.32.208.232) at 7/31/2007 3:33:45 PM |
|
#19 I'm disappointed you couldn't actually even try and fake a reply to #16 and #17.
But you seem well informed about psychological problems .... no surprise. |
| #22 By 13030 (198.22.121.110) at 7/31/2007 4:29:45 PM |
|
#16: Even the Mozilla programmers agree with me
Make sure you show the entire context surrounding the quote, otherwise you look like a Dan Rather trying to steamroll an agenda. The next sentence, which you somehow forgot to include, makes it perfectly clear: "As someone pointed out via email, we don't handle these web protocol handlers correctly. We generally trust SE to keep us safe, and that doesn't appear to have been the right approach." The next post confirms what I found others saying and what my own tests have shown: "Also, some test results - last night I spent mostly with IE6, and was unable to get calc to launch. After an upgrade to IE7, I've confirmed the calc / mailto thing works." And how do they deal with it? They pay attention to the API's. Actually, existing core OS APIs should never change in their behavior in manner such as this merely due to the upgrade of an application (IE7)--this violates accepted software development practices. Developers write code depending upon things like this to behave predictably. I find lketchum's silence on the technical issue at hand to be interesting... ch and Kabuki are no different. lol. This coming from the person who can't comprehend someone having a vested interest in a company (both in my career and as a shareholder) and expecting that company to always take the high road. Granted, Microsoft does right more than wrong, but it's things like this that cause frustration since I see the technical failing for exactly what it is. |
| #23 By 32132 (142.32.208.232) at 7/31/2007 5:09:37 PM |
|
#22 I refer you to the admission that yes, there is a bug in Firefox's handling or URL's.
"#4 in comment 30 is bug regardless of whether we use ShellExecute as we are now or do the more indepth duplication of Windows behavior." https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c35 Further reading: http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx |
| #24 By 23275 (24.179.4.158) at 7/31/2007 5:49:57 PM |
|
#22, There is a reason for that... technically both are wrong and I don't see any quick way to fix it, either. That said, both sides are right and for the same reason. Responding technically to Latch is a lost cause - it does no good. So I may as well have some fun as I test the site and make sure it is okay and safe from some creep in BR who's DL'd a program designed to try and hurt really old tech that I have zero control over... <not that there are not a hundred ways to take care of that and flex-cuff the idiot to a tree - which has nothing to do with Latch or the subject...> so actually, the technical silence is perhaps a lot more complex and interesting than meets even your obviously well tuned sense of things (which is kind of cool and suggests that you're a lot smarter that even your smart posts suggest).
Ya'll remeber Halcyon, or some such spelling? - I used to debate him almost daily - he was a *nix advocate that debated based upon merit and that effort was worthy of the time. He seems to have been replaced by Latch here from the FOSS/OSS side and since, it's been one barb after another - from both sides. That's okay and even fun, but it does not make for great technical debate. I'm too old, and too busy to mess with that. |
| #25 By 15406 (216.191.227.68) at 8/1/2007 8:49:54 AM |
|
#20: This is not a *nix centric site
True and irrelevant. I'm not usually waving the flag for Linux or UNIX; I'm usually throwing tomotoes at MS for their poor behaviour. you won't find me on *nix centric sites bashing Unix, or Linux If you have a problem with UNIX, be my guest and vent on UNIX sites. You don't seem to use both and your not an MS user/advocate, admin, or dev... surely you can see the difference is relevance. Things aren't always as they seem, are they? I am most certainly an MS user, since it's practically impossible to own a PC and not be (can you say 'monopoly' and 'lock-in' children? I knew you could.) I am definitely not an advocate. Their software isn't terrible (some of it is even good), but their business behaviour is unethical & underhanded. That I cannot support in good conscience. Others will overlook anything for the right price. I am also a developer and do most of my work under Windows. I still don't see from your explanation how I'm an extremist (again, whatever that means) versus yourself. I will comment on the warts of UNIX, FOSS or MS, while you and your merry band only see the sunny side of the MS street and totally overlook the long history of bad deeds. So, again I ask you: who is the extremist? |
|
Write Comment
Return to News |
Displaying 1 through 25 of 467 Last | Next |
The time now is
4:41:02 PM
ET.
Any comment problems? E-mail us |
