RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Roger A. Grimes writes:

> The applications in question are accepting abitrary input and not
> validating correctly.

No -- they are handing the input over to the operating system -- which is a reasonable thing to do for things that start with mailto|htpp|...

> How is that a Microsoft or Windows problem?

Ok, so just Microsoft and Windows:

Enter

mailto:test%../../../../windows/system32/calc.exe".cmd

in "Start/Run"

1. on a system with Windows XP and IE6. Outlook Express is executed as expected.
2. now do the very same thing on a system with Windows XP and IE7. calc.exe is executed.
3. Now do the very same thing on a system with Windows Vista. You get a "... could not be found"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

No 3rd party software involved, just Microsoft and Windows -- three different reactions. That is not what I would call a reliable and therefor secure basis for applications.

You can propably argue in favour of any of those reactions -- but not for all of them.

bye, ju

-- 
Juergen Schmidt    editor-in-chief    heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@heisec.de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970