ActiveWin.com - The Most Activated Windows Resource

ActiveWin

User Controls

New User

Edit/View My Profile

Active Network

ActiveMac

ActiveWin

ActiveXbox

DirectX

Downloads

FAQs

Interviews

MS Games & Hardware

Reviews

Rocky Bytes

Support Center

TopTechTips

Windows 2000

Windows Me

Windows Server 2003

Windows Vista

Windows XP

News Centers

Windows/Microsoft

Apple/Mac

Xbox/Xbox 360

News Search

XML/RSS Newsfeeds

Pocket PC Site

FAQ's

Windows Vista

Windows 98/98 SE

Windows 2000

Windows Me

Windows Server 2003

Windows XP

Windows 7

Windows 8

Internet Explorer 6

Internet Explorer 5

Xbox 360

Xbox

DirectX

DVD's

Latest Reviews

Xbox/Games

Fable 2

Applications

Windows Server 2008 R2

Windows 7

Adobe CS5 Master Collection

Hardware

Microsoft Express Mouse

Latest Interviews

Mike Swanson

Site News/Info

About This Site

Advertise

Affiliates

Default Home Page

Link To Us

IE7/Firefox URI Handling Bug Caused by Windows After All

Time: 00:32 EST/05:32 GMT | News Source: BetaNews | Posted By: Kenneth van Surksum

An exploitable bug discovered earlier this month that was first believed to have been caused by Internet Explorer 7.0, before Mozilla was forced to admit that it afflicted Firefox as well, has apparently been traced back to a Windows API function.

The discovery may have been first revealed through the US-CERT Web site of the Dept. of Homeland Security, which now classifies it as a "Microsoft Windows URI protocol handling vulnerability." The function in question is an old favorite of malware writers: ShellExecute(), which was the subject of a notorious Windows 2000 exploit four years ago.

Read Only Comments
Return to News

Displaying Comments 1 through 32 of 32

This is an archived static copy of ActiveWin.com.

#1 By 45754 (164.140.159.143) at Tuesday, July 31, 2007 12:45:42 AM

Ping...Pong ???

#2 By 32132 (66.183.202.89) at Tuesday, July 31, 2007 01:23:06 AM

"Microsoft Windows may incorrectly determine the appropriate application to handle a protocol."

WHAT?????

How idiotic. Firefox registered the URI handler and told WIndows to send URI's with FIREFOX:// in front of them to Firefox.

This is stupid.

http://msdn2.microsoft.com/en-us/library/ms647732.aspx

"The flags that specify how an application is to be displayed when it is opened. If lpFile specifies a document file, the flag is simply passed to the associated application. It is up to the application to decide how to handle it."

#3 By 15406 (216.191.227.68) at Tuesday, July 31, 2007 08:29:01 AM

Sweet. The truth finally comes out. Welcome to the ABM crowd, Parkkker. Too bad you only join when there's blame afoot.

This post was edited by Latch on Tuesday, July 31, 2007 at 08:31.

#4 By 23275 (24.179.4.158) at Tuesday, July 31, 2007 08:32:22 AM

#2 Surely you get it by now... FF is the end all when it comes to online security and where it does have flaws, they are Microsoft's fault, entirely - or so say the undergrad students of the Joseph Goebell's school of technical journalism...

#5 By 15406 (216.191.227.68) at Tuesday, July 31, 2007 09:46:59 AM

#4: Wow, 4 posts and Godwin's Law has already been invoked. I sense another story coming about trudging along the banks of the Rhine in 1918, carrying 4 of your wounded buddies on your back. Only the rich ecosystem of Vista prevented Europe from falling into the hands of the Nazis.

#6 By 23275 (24.179.4.158) at Tuesday, July 31, 2007 09:54:51 AM

#5, Well... if it's not the Reich's Minister of FOSS/OSS propaganda himself... Good Morning, Herr Minister.

This post was edited by lketchum on Tuesday, July 31, 2007 at 10:08.

#7 By 32132 (66.183.202.89) at Tuesday, July 31, 2007 10:09:39 AM

#4, #6 Too over the top. Latch gets coffee for people. He can't be expected to actually read and understand an API spec. Neither, it seems, can Firefox programmers. Or apologists.

#8 By 32132 (66.183.202.89) at Tuesday, July 31, 2007 10:10:55 AM

Its really too bad US-CERT has embarrased itself to the point where it cannot be trusted.

#9 By 15406 (216.191.227.68) at Tuesday, July 31, 2007 10:26:32 AM

#6: Smells like Freudian projection to me.

#8: Yes, the entire world is out of order except you, Ketchum and Microsoft. CERT must have been compromised by cancerous Communists with open sores, or they're calling it as they see it -- one of the two.

#10 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 10:47:10 AM

#9 I quote from the US-CERT advisory:

"IMPACT:

Microsoft Windows may incorrectly determine the appropriate application to handle a protocol. For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands."

Since when does the above have anything to do with what is being discussed?

This post was edited by NotParker on Tuesday, July 31, 2007 at 10:47.

#11 By 23275 (24.179.4.158) at Tuesday, July 31, 2007 10:50:49 AM

#9, No, Latch, just extremists like yourself that have nothing better to do than hit Windows sites [nope - can't point your finger back at me... remember, I work on behalf of the site].
By the way... how many times have we to tell you... "no decaf!"

**I mean, Brah, we just can't take you seriously any longer... so we're not going to... and that is the heap upon which you have tossed yourself - so extreme - so consistently that we just can attach any import, or relevance to your comments any longer. That is exactly what happens to those on the left - people signing the front sides of checks recognize the noises you make for what they are, "noise."

#12 By 135 (209.180.28.6) at Tuesday, July 31, 2007 11:23:24 AM

Looks like someone here suffers from Firefox Derangement Syndrome.

#13 By 13030 (198.22.121.110) at Tuesday, July 31, 2007 11:28:38 AM

The zealots appear to be resorting to deflection and distraction tactics at this point. NotParker is harvesting API links as if they explain the problem, lketchum has crossed "forbidden" forum line by introducing a Nazi reference, latch comes back with one of his more humorous replies, and the whole thing tailspins into silliness. (I love this place.)

The CERT Vulnerability Note VU#403150 (http://www.kb.cert.org/vuls/id/403150) and the first comment on the news story site by "kruador" may explain the problem. The key point here is the URL encoding and decoding that is taking place under the covers of the ShellExecute series of functions. With IE7, the "escaping" of critical characters, such as the apostrophe, is where the problem can manifest itself. My guess is that Microsoft, in its attempts to make the browser and the OS inseparable, seems to have the ShellExecute API making use of an IE library function that functions differently with IE7.

#14 By 10748 (134.187.163.50) at Tuesday, July 31, 2007 12:37:09 PM

#6 *applause* ...

Sodablue??? I thought you dropped off the face of the earth... this thread is a reunion!

#15 By 15406 (216.191.227.68) at Tuesday, July 31, 2007 02:10:37 PM

#11: Hey, if you & your bud Parkkker don't want to take me seriously, I'll have to find a shrink and go into therapy. After all, validation from the two of you is the only thing getting me through each day.

fyi I stopped taking the opinions of you two Windows cheerleaders seriously a long time ago but I don't feel the need to announce it like I'm some self-important a-hole.

What exactly is an extremist in this context, and how would it differentiate me from you?

#16 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 02:48:00 PM

Even the Mozilla programmers agree with me:

https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c30

"As someone pointed out via email, we don't handle these web protocol handlers correctly."

And how do they deal with it? They pay attention to the API's.

https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c37

"This is purely an experimental patch that avoids major changes by vetting URI through the newer CreateUri available post IE7. "

#17 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 02:49:55 PM

And what happens when you read CreateURI:

"Warning Legacy file scheme URIs should be used only with legacy APIs that will not accept healthy file scheme URIs. Legacy file scheme URIs do not allow for percent-encoded octets, which can lead to ambiguity. Therefore, legacy file scheme URIs should not be used unless absolutely necessary."

http://msdn2.microsoft.com/en-us/library/ms775098.aspx

#18 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 02:51:39 PM

#15 "After all, validation from the two of you is the only thing getting me through each day."

Bullsh*t.

Spewing hate and vitriol is what gets you through the day. You are a sick addict. ch and Kabuki are no different.

#19 By 15406 (216.191.227.68) at Tuesday, July 31, 2007 03:13:32 PM

http://en.wikipedia.org/wiki/Psychological_projection

#20 By 23275 (24.179.4.158) at Tuesday, July 31, 2007 03:15:16 PM

Latch, you can be a lot of fun - don't spoil it by "really" getting mad. It's just software...

And yes, it is as fun to get you going as it may be for you to get me going.

That all said, you gotta admit, there is a difference... here goes... we use Microsoft software and we and our customers benefit from it - hence our participation here... to learn share and poke fun at one another [on occasion]. This is not a *nix centric site - and there is the difference - you and I are here for different reasons and you won't find me on *nix centric sites bashing Unix, or Linux - which we do use - again, a difference between us - we actually do use *nix and Vista and other MS software. You don't seem to use both and your not an MS user/advocate, admin, or dev... surely you can see the difference is relevance.

Again, it's still fun to read what you say and even more so to leverage it and watch you come back - I wouldn't dish it if I couldn't take it... so swing away as you do. Just have some fun once in a while - it seems sometimes you don't.

#21 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 03:33:45 PM

#19 I'm disappointed you couldn't actually even try and fake a reply to #16 and #17.

But you seem well informed about psychological problems .... no surprise.

#22 By 13030 (198.22.121.110) at Tuesday, July 31, 2007 04:29:45 PM

#16: Even the Mozilla programmers agree with me

Make sure you show the entire context surrounding the quote, otherwise you look like a Dan Rather trying to steamroll an agenda.

The next sentence, which you somehow forgot to include, makes it perfectly clear:

"As someone pointed out via email, we don't handle these web protocol handlers correctly. We generally trust SE to keep us safe, and that doesn't appear to have been the right approach."

The next post confirms what I found others saying and what my own tests have shown:

"Also, some test results - last night I spent mostly with IE6, and was unable to get calc to launch. After an upgrade to IE7, I've confirmed the calc / mailto thing works."

And how do they deal with it? They pay attention to the API's.

Actually, existing core OS APIs should never change in their behavior in manner such as this merely due to the upgrade of an application (IE7)--this violates accepted software development practices. Developers write code depending upon things like this to behave predictably.

I find lketchum's silence on the technical issue at hand to be interesting...

ch and Kabuki are no different.

lol. This coming from the person who can't comprehend someone having a vested interest in a company (both in my career and as a shareholder) and expecting that company to always take the high road. Granted, Microsoft does right more than wrong, but it's things like this that cause frustration since I see the technical failing for exactly what it is.

#23 By 32132 (142.32.208.232) at Tuesday, July 31, 2007 05:09:37 PM

#22 I refer you to the admission that yes, there is a bug in Firefox's handling or URL's.

"#4 in comment 30 is bug regardless of whether we use ShellExecute as we are now
or do the more indepth duplication of Windows behavior."

https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c35

Further reading:

http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx

#24 By 23275 (24.179.4.158) at Tuesday, July 31, 2007 05:49:57 PM

#22, There is a reason for that... technically both are wrong and I don't see any quick way to fix it, either. That said, both sides are right and for the same reason. Responding technically to Latch is a lost cause - it does no good. So I may as well have some fun as I test the site and make sure it is okay and safe from some creep in BR who's DL'd a program designed to try and hurt really old tech that I have zero control over... <not that there are not a hundred ways to take care of that and flex-cuff the idiot to a tree - which has nothing to do with Latch or the subject...> so actually, the technical silence is perhaps a lot more complex and interesting than meets even your obviously well tuned sense of things (which is kind of cool and suggests that you're a lot smarter that even your smart posts suggest).

Ya'll remeber Halcyon, or some such spelling? - I used to debate him almost daily - he was a *nix advocate that debated based upon merit and that effort was worthy of the time. He seems to have been replaced by Latch here from the FOSS/OSS side and since, it's been one barb after another - from both sides. That's okay and even fun, but it does not make for great technical debate. I'm too old, and too busy to mess with that.

#25 By 15406 (216.191.227.68) at Wednesday, August 01, 2007 08:49:54 AM

#20: This is not a *nix centric site

True and irrelevant. I'm not usually waving the flag for Linux or UNIX; I'm usually throwing tomotoes at MS for their poor behaviour.

you won't find me on *nix centric sites bashing Unix, or Linux

If you have a problem with UNIX, be my guest and vent on UNIX sites.

You don't seem to use both and your not an MS user/advocate, admin, or dev... surely you can see the difference is relevance.

Things aren't always as they seem, are they? I am most certainly an MS user, since it's practically impossible to own a PC and not be (can you say 'monopoly' and 'lock-in' children? I knew you could.) I am definitely not an advocate. Their software isn't terrible (some of it is even good), but their business behaviour is unethical & underhanded. That I cannot support in good conscience. Others will overlook anything for the right price. I am also a developer and do most of my work under Windows.

I still don't see from your explanation how I'm an extremist (again, whatever that means) versus yourself. I will comment on the warts of UNIX, FOSS or MS, while you and your merry band only see the sunny side of the MS street and totally overlook the long history of bad deeds. So, again I ask you: who is the extremist?

#26 By 13030 (198.22.121.110) at Wednesday, August 01, 2007 09:38:58 AM

#23: I refer you to the admission that yes, there is a bug in Firefox's handling or URL's.

Item 4 mentioned comment #30 (from the linked story site) is not addressing the issue at hand. What they are referring to would bullet-proof against some other unforeseen problem which may or may not even be possible. Your other link throws an error, so I can't address that. Read what lketchum has said and you will realize that you are defending, at the minimum, a precarious position.

#24: ...which is kind of cool and suggests that you're a lot smarter that even your smart posts suggest

Well, thank you (I think).

Actually, I use the old journalism maxim of writing to a 5th grade audience for the benefit of the other gentle ActiveWin readers. <duck for cover>

Personally, I like Latch's approach and the way he always elicits commentary. It keeps the zealots on their toes--something that zealots generally don't like to do.

This post was edited by ch on Wednesday, August 01, 2007 at 09:39.

#27 By 23275 (24.179.4.158) at Wednesday, August 01, 2007 10:12:41 AM

#26, it was meant as a sincere compliment, so, you're welcome.

Defending/attacking from either side of this issue is precarious and more than a little pointless. The better approach is what I think is actually happening and that each side's devs are taking full responsibility for their own code and working "with" one another to affect solutions [I have to believe that, because that is the only approach that serves shared customers' interests and if that is not happening, well... the SW industry needs to grow up a bit <more>]. That said...

In forums, as in personal letters, I write as though the person is sitting across from me - hence all my "dashes" - conveying natural pauses in one's spoken patterns of speech and not unlike "BT" or "STOP" for guys that used to or still hit a Morse key and amateur radio. e.g., the thoughts are what matter. Any case... what I want to offer regarding this is that devs [big and small] have to forgive themselves and one another just a little bit. A lot has changed in the past five or six years and a lot more quickly than dev tools and practices have. We have to accept that and stop pretending that all the change we have seen - as exploitation of code and people has evolved as a business [albeit a criminal one]. We have to think about the API's we have all used, or been exposed to indirectly and how they have evolved opposite the onslaught of specific and blended threats. We have to be adult about our understanding of IE in the context of intergration.... on one hand it is not nearly as tightly integrated to Windows as people assess "technically" - and also embrace that at one time and in the context of Windows as a "Product" that it was integrated more meaningfully. So it is both and both are valid. That still is not the issue here nor will it be in the future. The future is in treating apps components as secured objects independent of user name space - that much is certain - components facing networks [any network] have to be isolated and further, the means to escalate any process has to be subject to a brokering process that controls it. Fortunately, that future already exists - it is just not being embraced and if there is a scrub with MOZ/FF it is in this area and how stubborn they seem to be about it - I say seem to be, as there is no way for me to know for sure. Again, we have to be willing to accept that so much has changed; that we are all in this game together and that securing at the object level is where we need to go - I'm just not sure that even Microsoft can get its partners out of the corner we are all painted into quickly - so expect a longer and bumpier ride. As we travel that road, try to have as much fun as possible and try and forgive the guy next to you - we all did this, and no one saw it all coming as fast as it did. If we want to blame someone, let's blame the bad guys - the criminals that don't give a crap about what browser we use, or who did what - they'll TAKE whatever they can get from all of us.

#28 By 23275 (24.179.4.158) at Wednesday, August 01, 2007 10:39:56 AM

#26, Oh, curious.... I always wondered why people concluded that working to get the most out of platforms that are so common that they present themselves as the standards and therefore the realities that we face, is regarded as "zealotry?"

It isn't. It is that things that are real, just are - just are that, "real"

In the right hands, with a tiny bit of planning, Windows Vista is a great operating system and certainly well ahead of Windows XP in so many ways, that going back to an XP box is just, well... painful - like driving a really old, dated care without AC and or power steering is more painful - yeah, you can get down the road, but drive around town in August? No thanks.

So, may as well focus on how to get the most out of the new ride... right? See my point?

Latch elicits a "response" but he is not a gate keeper and there is an important difference - one leads to discourse, the other a brawl. So it depends upon what you're in the mood for. Some days it is fun, but it is more fun to embrace the reality we share and then see what we can build on, or with it and how what is built might be used. Did you all ever toy with the idea of shaping the likes of Microsoft from the outside - how our collective influence can modify what they do? I for one am with Fritzly - I want them to track a much more modern OS for the non-enterprise market and let us use something different - I want them to make some bold moves and really open up what is possible. I sincerely believe that the problem with Windows Vista and the same problem OS X and XP have - in reality, they do not inspire us at all - the aged desktop metaphor is inappropriate, boring and as common as our grand daddy's Buick. We're tired of it and down deep we wanted something that was so much more - instead, we suck on a pro/con-sumer version of a stodgy enterprise desktop that is as bland as a bankers antique desk. In our small little way of saying, "hey, this is what we meant, we're building a canvas for all of you and Awin and appointing all of you the artists - hopefully driving a big fat stake through the heart of the old metaphors and desktop in the process."

#29 By 32132 (142.32.208.232) at Wednesday, August 01, 2007 10:48:35 AM

"Read what lketchum has said and you will realize that you are defending, at the minimum, a precarious position."

If you read the link I posted, there are many, many others defending the same position. There are numerous examples of how Firefox should have dealt with the URI's. They chose the wrong method.

And Mozilla patched Firefox admitting to a serious flaw in their handling of URI's.

#30 By 135 (209.180.28.6) at Wednesday, August 01, 2007 10:51:59 AM

lketchum/NotParker - Who cares?

You're not helping anyone here with angry rants against firefox.

#31 By 32132 (142.32.208.232) at Wednesday, August 01, 2007 01:12:22 PM

#30 Angry rant?

Please quote anything from this discussion (that I posted) that is an "angry rant against Firefox"?

Why is criticism of Firefox an "angry rant"?

#32 By 32132 (142.32.208.232) at Thursday, August 02, 2007 11:03:08 AM

#30 .... hello .... anyone there?

replica watches