RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skyp
[Disclosure: I work for Microsoft. But this is my opinion, not =
Microsoft's]
If I click on the test link in IE 7, by itself, it does not have the =
vulnerability.
The applications in question are accepting abitrary input and not =
validating correctly.=20
How is that a Microsoft or Windows problem?
Don't get me wrong, I want to protect end-users as much as the next =
person (as does MS), but if it is the application not validating =
correctly, could there not be hundreds of potential characters and =
strings that cause input validation problems in particular =
circumstances, which will vary according to the application?
If Microsoft scrubs out every potential malicious character, it's bound =
to break lots of legitimate applications. That would make plenty of =
users and developers mad.
At what point should Microsoft scrub URIs so that it hands off only =
"legitmate" characters "most of the time"? How could Microsoft =
determine ahead of time what is and isn't legitimate characters to pass =
to applications they don't own? If they block characters that affect =
certain applications, it might cause problems in other applications that =
have no problem with the character(s) in question?
What is the solution? The easy answer is to block the % character in =
this particular instance...but that's just a whack-a-mole fix. =20
I'm asking, with genuine interest and a listening ear, what is the best =
long term solution you envision, to solve the larger problem?
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist=20
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@infoworld.com or roger@banneretcs.com
*Author of Windows Vista Security: Securing Vista Against Malicious =
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/04701=
01555
*****************************************************************
-----Original Message-----
From: Juergen Schmidt [mailto:ju@heisec.de]=20
Sent: Friday, October 05, 2007 8:59 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
Hello,
the URI handling problem on Windows XP systems with IE 7 installed hits =
a lot of applications, not only Firefox (and mIRC) -- namely Skype, =
Acrobat Reader, Miranda, Netscape.
To recap: with the installation of IE 7 Microsoft changes the handling =
of URLs that are passed to the operating system on Windows XP. After =
this, URLs that contain an invalid "%" encoding can launch abitrary =
programms. One example is:
mailto:test%../../../../windows/system32/calc.exe".cmd
that launches the calculator when activated in affected applications.=20
Firefox fixed this problem in 2.0.6. After being notified by heise =
Security, Skype fixed the problem in 3.5.0.239.
Still vulnerable (as of 4th of October) are:
Adobe Acrobat Reader 8.1: If a user clicks on such a link
in a PDF, calc.exe is executed.
Miranda v0.7: If a user klicks on this link in a chat window, calc.exe =
is=20
executed
Netscape 7.1: mailto is handled by Netscape itself, but=20
similar telnet:-links start the calculator.
This list can propably be extended with little effort.
On a question to MSRC if Microsoft is planning to react on this, we=20
recieved the following response:
"After its thorough investigation, Microsoft has revealed that this is=20
not a vulnerability in a Microsoft product."=A0
For further information see:
http://www.heise-security.co.uk/news/96982
bye, ju
--=20
Juergen Schmidt editor-in-chief heise Security www.heisec.de
Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@heisec.de
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
討論串 (同標題文章)
完整討論串 (本文為第 1 之 3 篇):