<<< Date Index >>>     <<< Thread Index >>>

RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype



Roger A. Grimes writes:

> The applications in question are accepting abitrary input and not 
> validating correctly.

No -- they are handing the input over to the operating system -- which is 
a reasonable thing to do for things that start with mailto|htpp|...


> How is that a Microsoft or Windows problem? 

Ok, so just Microsoft and Windows: 

Enter

mailto:test%../../../../windows/system32/calc.exe".cmd 

in "Start/Run"

1) on a system with Windows XP and IE6. Outlook Express is executed as 
expected.

2) now do the very same thing on a system with Windows XP and IE7. 
calc.exe is executed.

3) Now do the very same thing on a system with Windows Vista. You get a 
"... could not be found"

No 3rd party software involved, just Microsoft and Windows -- three 
different reactions. That is not what I would call a reliable and therefor 
secure basis for applications.

You can propably argue in favour of any of those reactions -- but not for 
all of them.

bye, ju


-- 
Juergen Schmidt    editor-in-chief    heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@xxxxxxxxx
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970