Bugtraq mailing list archives

RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

From: Juergen Schmidt <ju () heisec de>
Date: Sat, 6 Oct 2007 12:46:47 +0200 (CEST)

Roger A. Grimes writes:

The applications in question are accepting abitrary input and not 
validating correctly.


No -- they are handing the input over to the operating system -- which is 
a reasonable thing to do for things that start with mailto|htpp|...

How is that a Microsoft or Windows problem?


Ok, so just Microsoft and Windows: 

Enter

mailto:test%../../../../windows/system32/calc.exe".cmd 

in "Start/Run"

1) on a system with Windows XP and IE6. Outlook Express is executed as 
expected.

2) now do the very same thing on a system with Windows XP and IE7. 
calc.exe is executed.

3) Now do the very same thing on a system with Windows Vista. You get a 
"... could not be found"

No 3rd party software involved, just Microsoft and Windows -- three 
different reactions. That is not what I would call a reliable and therefor 
secure basis for applications.

You can propably argue in favour of any of those reactions -- but not for 
all of them.

bye, ju


-- 
Juergen Schmidt    editor-in-chief    heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju () heisec de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970

Current thread:

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype, (continued)
- - - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 09)
    - Message not available
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype gjgowey (Oct 09)
    - Message not available
    - Fwd: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype merigoth (Oct 11)
    - Message not available
    - Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 15)
    - Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
    - Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Thierry Zoller (Oct 11)
    - RE: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Andreas Lindenblatt (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Andreas Lindenblatt (Oct 09)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Juergen Schmidt (Oct 06)
- Re[2]: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 06)
  - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Morning Wood (Oct 09)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Jim Slora (Oct 09)