Bugtraq mailing list archives
RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: Juergen Schmidt <ju () heisec de>
Date: Sat, 6 Oct 2007 12:46:47 +0200 (CEST)
Roger A. Grimes writes:
The applications in question are accepting abitrary input and not validating correctly.
No -- they are handing the input over to the operating system -- which is a reasonable thing to do for things that start with mailto|htpp|...
How is that a Microsoft or Windows problem?
Ok, so just Microsoft and Windows: Enter mailto:test%../../../../windows/system32/calc.exe".cmd in "Start/Run" 1) on a system with Windows XP and IE6. Outlook Express is executed as expected. 2) now do the very same thing on a system with Windows XP and IE7. calc.exe is executed. 3) Now do the very same thing on a system with Windows Vista. You get a "... could not be found" No 3rd party software involved, just Microsoft and Windows -- three different reactions. That is not what I would call a reliable and therefor secure basis for applications. You can propably argue in favour of any of those reactions -- but not for all of them. bye, ju -- Juergen Schmidt editor-in-chief heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () heisec de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
Current thread:
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype, (continued)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 09)
- Message not available
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype gjgowey (Oct 09)
- Message not available
- Fwd: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype merigoth (Oct 11)
- Message not available
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 15)
- Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
- Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Thierry Zoller (Oct 11)
- RE: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Morning Wood (Oct 09)