Full Disclosure mailing list archives
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: Valdis.Kletnieks () vt edu
Date: Sun, 07 Oct 2007 11:21:01 -0400
On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said:
If the application is what exposes the URI handling routine to untrusted code from the internet, then it's the application's job to make sure that code is trusted before exposing system components to it's commands, no?
I think that given a system service that says "I will handle a mailto: URI", that a programmer can *reasonably* expect the following: 1) That it will be handed to a program that actually does e-mail, and not a calculator. calc.exe hasn't *yet* followed the programming aphorism that every program grows until it can read e-mail. 2) That said program can protect itself against overtly malicious input. "When people pcp a chocky in their mouth, they don't expect steel bolts to string out and pierce their cheeks" -- Monty Python.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype, (continued)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Gregory Rubin (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Lamer Buster (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 06)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype James Matthews (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype 3APA3A (Oct 08)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype gjgowey (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype john lokka (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 13)
- Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
- I made third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) KJK::Hyperion (Oct 14)
- Re: I made third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) KJK::Hyperion (Oct 14)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 11)