Very short summary:

  1. IE pwns Firefox and Mozilla blames Microsoft for not sanitizing URLs before throwing them at other applications.
  2. Firefox pwns... all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself.
  3. Mozilla devs fix their bug immediately, while people like Alun Jones (Security Microsoft Valued Partner) and Markellos Diorinos (IE Product Manager) deny such a bug exists at all, thus IE won't be fixed.
  4. ...
  5. Profit!

And this time I can't even insert my usual NoScript plug ;)

8 Responses to “IE's "Non-Bug" Can Cost Your (Second)Life”

  1. #1 Alan Baxter says:

    Markellos Diorinos link is hosed. It just points back to hackademix.

  2. #2 Giorgio says:

    @Alan Baxter: fixed, thanks.

  3. #3 Awesome AnDrEw says:

    As I said on PDP's blog it's a beautiful thing. It's both amusing, and useful (not specifically for me since I don't spend my time with such applications).

  4. #4 Ix says:

    Hmm... interesting exploit, good thing I don't use IE or SL. Though one does have to wonder if enough of these problems show up and cause enough monetary damage could MS be held responsible or be forced to fix IE? I certainly hope so, I'd pay money to see them try to fix it, fail, then have to admit they don't know what they're doing anymore. I'd suppose it comes down to if they could be held as an accomplice to the theft by holding open a doorway for the thieves to use.

    For a little clarification since I've never used bugzilla before, did it only take about 10 lines of code to fix this in FF?
    If so what's that say about MS taking the "It's not a bug, it's a feature" stance? "We can't write 10 lines of good, working code so we just won't admit it's a problem"?

  5. #5 Giorgio says:

    you read it right, 10 lines.

    Regarding why Microsoft can't admit it's a bug, the reason is obviously not that they're unable to write a patch.
    From what Alun Jones told me a couple months ago, when we first discussed this issue, I got the idea they're afraid to break "compatibility" with applications which expect an unsanitized URL to be passed as it is on their command line.

  6. #6 Ix says:

    Mmm... "compatibility", same reason why they're resisting making IE display web sites in a standards compliant fashion. Really though, I think if they fessed up that it's a security problem on the level it appears to be I think even normal people would tell MS that they don't care about compatibility when it means their computers are this wide open to attack.

    I'll admit I don't know much about sanitized URLs, but I haven't run into any problems with the method FireFox uses, the few sites I visit that open something like my IM client still can open the IM client. I just don't see with what I know, why MS can't work out something like Mozilla did, and why they'd leave everyone vulnerable just for some backwards compatibility, especially when everything I've used hasn't had any problems with the sanitizing.

  7. #7 Alun Jones says:

    Okay, first, MVP means "Most Valuable Professional" - I am not a Microsoft Partner, that's a different programme.
    Second, I don't see this as a bug in IE. You do. This is a vulnerability in the protocol handler, which in this case is Firefox - even in the case where IE is involved! The vulnerability is available because of a number of things. One of these is that IE doesn't inspect the protocol handler URL for specific character sequences, presumably because IE believes that it's the protocol handler's duty to watch for those things - and according to the documentation, it is, because there are a large number of ways in which a URL might come to the protocol handler, only one of which is through IE.
    Firefox now scans for 'bad' characters in the URL before passing it to the protocol handler (short-sighted, you should always scan for 'good' characters, and disallow everything else, rather than scanning for 'bad' characters and allowing everything else), and they also fix the check inside the protocol handler portion of Firefox. The first is a nice thing for them to do, as it allows you to run broken protocol handlers with impunity - but then, isn't that a bit of a problem, since you now have a broken protocol handler waiting for someone to find a different way to trigger it? [From Quicktime, say, as happened, or some other application.]
    What shouldn't be up for argument is that Firefox's protocol handler had a vulnerability, and Firefox absolutely had a responsibility to fix that vulnerability.
    What is up for debate is whether the browser has a responsibility to try and anticipate flaws in the protocol handler, and try and head them off at the pass by encoding arguments. There's a chicken-and-egg scenario there, of course, in that the protocol handler may very well simply decode incoming arguments and then pass them to the same broken piece of parsing logic!
    You could argue defence in depth applies here, and that the browser is applying a DiD approach by encoding URLs that it passes to the protocol handler, but then that just adds to browser complexity, for not much recognisable gain, in my opinion. Sure, it's only ten lines (I could do it in 9), but then you'd have to test the whole browser, and package in all the other changes that have occurred since the last revision, and send that package out (or pay the cost of supporting and documenting a hundred different branches of the browser - a cost that Mozilla doesn't have to care about).
    If defence in depth applies, of course, you also have to ask why the firewall or the TCP stack doesn't scan for, and fix, the broken sequence of characters. The same response - added complexity, minimal-to-no benefit.
    Besides, doing the same thing at two layers does not constitute defence in depth, it constitutes redundancy of the bad kind.
    I would guess that much of Microsoft's reasoning about IE relates to whether they should spend time fixing bugs in other people's programs, or bugs in their own. Which would you rather?
    Oh, and when you paraphrase me, it'd be nice to let me know, so I can tell whether you have my sentiment right or not. Thanks.

  8. #8 nap says:

    Big news, microsoft apparently acknowledges an URL-handling bug!
    (Microsoft Security Advisory (943521)
    URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution)

Bad Behavior has blocked 937 access attempts in the last 7 days.