Microsoft: 'Very difficult' to block IE attack vector

Microsoft: 'Very difficult' to block IE attack vector

Summary: A member of Microsoft's Internet Explorer team says it is "very difficult" to put protections in place to block the protocol handlers attack vector exposed by the recent IE-to-Firefox code execution vulnerability.

SHARE:
116

A member of Microsoft's Internet Explorer team says it is "very difficult" to put protections in place to block the protocol handlers attack vector exposed by the recent IE-to-Firefox code execution vulnerability.

Markellos Diorinos, a product manager on the IE team, insists it is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.

This stance is in sharp contrast to Mozilla's position that this is a critical IE vulnerability.

In an entry to the IE team blog, Diorinos writes:

Custom URL handlers enable third party applications (such as streaming media players and internet telephony applications) to directly launch from within another application - commonly a web browser but even using a command line from Start > Run. For example, the “mailto:” custom URL handler enables you to click on a link and start writing an email. To make these custom URL handlers more useful, they can accept parameters that provide more specific instructions. For instance mailto: accepts parameters like subject and body.

The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.

He did not say specifically that Microsoft will not be issuing an IE patch. Instead, Diorinos pointed out that Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links.

This means that Vista users running IE gets a roadblock that reads:

"A website wants to open web content using this program on your computer"

However, Windows customers running IE 7 on Windows XP get no such warning.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

116 comments
Log in or register to join the discussion
  • Seems to me...

    ...that Mozilla's stance is tantamount to saying that IE should be protecting Firefox from itself. Should IE be deciding what gets passed along to other applications? How is IE supposed to know what is valid and what isn't?

    Carl Rapson
    rapson
    • And yet...

      According to both <a href="http://larholm.com/2007/07/18/firefox-fixes-internet-explorer-flaw">Thor Larholm [b]and[/b] Microsoft, IE is still vulnerable even after Mozilla patched Firefox. Plus many of the called programs are Microsoft apps. So Mozilla's stance is really "We fixed our end. You should fix yours, too". It doesn't matter if it's difficult, Microsoft [b]has[/b] to fix it one way or another(either in IE or called applications).
      Tony Agudo
      • Grr...

        ZDNet must hate me today.

        According to both <a href="http://larholm.com/2007/07/18/firefox-fixes-internet-explorer-flaw">Thor Larholm</a> and Microsoft, IE is still vulnerable even after Mozilla patched Firefox. Plus many of the called programs are Microsoft apps. So Mozilla's stance is really "We fixed our end. You should fix yours, too". It doesn't matter if it's difficult, Microsoft has to fix it one way or another(either in IE or called applications).
        Tony Agudo
        • I agree

          If an application is susceptible to malformed command-line parameters, it should be fixed. But the "problem" with IE, as near as I can tell, is simply that it passes along whatever it is given to the underlying application as a command-line parameter. Is it IE's responsibility to check for bad command-line parameters?

          Carl Rapson
          rapson
          • I'd guess that would be up to Microsoft

            The checking has to be done one way or another, at least to protect MS apps. But until MS does release some sort of patch, it wouldn't hurt to use a browser that's patched, if only for a while.
            Tony Agudo
          • Absolutely

            Since M$ claimed that IE is so closely entwined in their OS that they cannot separate it , they have to also do the necessary fixing.

            They could have just made a freestanding browser but no. They want to drink all the water on the oceans.

            You can't have it both ways.
            pmshah@...
          • That's just stupid.

            Neither IE, nor the Windows should check command line options sent to an app. Are you actually suggesting that MS should magically know how many parms an App and which ones are valid?

            I love Firefox (I'm using it right now) and I'm not a big fan of IE in any way, but it is ALWAYS the application's job to validate input parmameters.

            Under your scenario, if app X takes no parms, Windows and/or IE should know...and if tomorrow App X takes 1 parameter that must be Apple or Peach, Windows must know. And if the day after that, App X is changed and can take any fruit that has a seeds or a pit as a parm, windows must know.

            Clearly that's not going to happen unless you want MS to introduce a new interface that forces all app writers to tell windows what's allowed, which is fine, but I doubt that'd be any easier than just doing your own parameter checking. It'd probably be harder.
            notsofast
        • Why do you assume Mozilla's fix wasn't already implemented?

          [i]It doesn't matter if it's difficult, Microsoft has to fix it one way or another(either in IE or called applications).[/i]

          Up to July 16th, Firefox would accept a call from IE and blindly use the parameters without checking to see if there were quotes in there that could be used to access the -chrome parameter and do nasty things on the computer.

          On July 17th, Firefox parses the command line so that it can't be tricked into doing nasty things on your computer.

          Why do you assume that the code Mozilla added to Firefox on July 17th [b]wasn't already in all the other programs that Thor Larholm mentioned[/b]? It is well documented that IE was not parsing the parameters before passing them on and that the responsibility lay in the called application. Mozilla either missed that part of the documentation or figured that there wasn't any way anyone could use Firefox to do nasty things on the computer. Why do you assume that all the authors of all the other programs were as negligent? Maybe, unlike Mozilla, [b]they did it right the first time[/b].

          So no, maybe Microsoft has nothing to fix in the called applications because they already parse the command lines coming from IE. And yes, I am typing this from my favorite browser right now: Firefox.
          NonZealot
          • Did you read Larholm's article?

            [i]I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.

            The only thing that is changing as time goes by is the exploration of new attack vectors, which simply means investigating the various command line arguments that each of the above processes will accept to execute code. As soon a new attack vector is uncovered a new exploit can be produced to automatically execute code through Internet Explorer.[/i]

            What then if Larholm or others succeed in finding a new attack vector that Microsoft missed? I'm erring on the side of caution by saying that Microsoft should patch it. You're assuming every application has all the bases covered, which is honestly risky when compared to Firefox now directly checking it. Wouldn't it be better if IE did some basic checking and the called app would parse in detail?
            Tony Agudo
          • I most certainly did

            however I don't believe something simply because someone says it is true. He calls it a flaw which it isn't. It is an attack vector that may or may not be usable to gain access to flaws in other programs like Firefox. Images in web pages are also attack vectors that can be used to take advantage of [url=http://news.com.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html] flaws in libpng [/url] . In that case, would you have suggested that Firefox preparse the image before passing it to libpng? No, Firefox does exactly what IE is doing: passes the data to the registered handler as is. Firefox doesn't know what .png files will cause buffer overflows just like IE simply doesn't know what command line arguments can be used to do nasty things on your computer. The libpng flaw was a libpng flaw even though the attack vector was through Firefox.

            [i]Wouldn't it be better if IE did some basic checking and the called app would parse in detail?[/i]

            The problem I see here is that the documentation very clearly states that there is no checking, no parsing, no quote padding, nothing. IE is used in many, many, many corporate intranets. How do you know that changing functionality that is [b]well documented[/b] isn't going to break some intranet app that has been working just fine for years now? Will you be the one to go over to that company and fix it? When the patch breaks those applications, will you be one of the many who say: yet another MS patch that breaks things!

            Sorry but in this case, just like the libpng case, it is up to the called application to make sure that all input data is correct, [b]especially[/b] when the documentation very clearly states this.
            NonZealot
          • So in effect you are saying that ,,,

            Microsoft's C.R.A.P.P.Y. Internet Explorer accepts C.R.A.P.P.Y. code and then passes that C.R.A.P.P.Y. code to other applications that does harm . Microsoft says it is difficult to fix , which is why Microsoft refuses to fix their junk . It's all in the Mary Jo Foley's story , now NonZealot wants to spin it like it's every others 3rd party vendor job to protect their apps from this attack vector . Interesting ,,, I have one thing to say today , & that is that Microsoft coding is absolute garbage . They are even admitting it's difficult to fix , which is why they are blaming everyone else . Why are you even bringing up the libpng issue ? What does it have to do with the flaw affecting Internet Explorer ? You see folks , even this joker has to spin it because they won't admit it's Microsoft's fault . Defend the hive , defend the queen Zealot .
            Intellihence
          • Message has been deleted.

            No_Ax_to_Grind
          • A Leopard needs a brain transplant.

            I don't care what bloody program you install on top of an OS, if the OS isn't experiencing a particular flaw prior to the installation of program X and it is experiencing the flaw after program X is installed then program X is the problem. There are no other excuses acceptable. If Program X experiences a flaw when installed on the OS then again its program X that is the problem.

            Its just to friggin' bad if you like a program, like FF for example that doesn't play well in a particular OS. Its up to FF to either correct the problem or if the problem is unrepairable then to sue MS for creating an OS that purposely makes other browsers unusable in the OS. Unfair competition and all.

            If I tell Apple that most of my programs will not work on an Apple computer at all there is no obligation for Apple to fix that, their position would rightly be that if you want it to run on OSX you had better code it right. Likewise with Linux. If someone wants a program to run on a Linux platform they had better write the program correctly and not blame Linux; that the way they prefer to write code is differently then what Linux cleanly accepts and it tends to break the OS so the Linux OS is at fault.

            This isn't rocket science. Its not a difficult concept or in anyway up to some kind of debate. If you don't like the fact some of your favorite software wont run on Windows then switch to an OS that does. Contact the producer of that favorite software and ask them to at least try to write code that works on Windows. But get off the crack pipe, if the program wont work right in Windows its not Windows fault because the OS is always just exactly what it is. Nothing more, nothing less.

            You might as well complain that a house was built wrong because it doesn't fit your favorite furniture. The unfortunate truth is that it wasn't built wrong, if you want your furniture to fit the apartment it was your furniture that was built wrong if it was meant to go in the apartment and it wont fit. The OS is the end product, if you don't like it don't use it. I don't think anyone is saying no one should not suggest improvements but calling it crap is not only wrong, its pointless in the extreme.
            Cayble
        • I also answered you in another post

          [url=http://talkback.zdnet.com/5208-12353-0.html?forumID=1&threadID=36359&messageID=670334] Another reply [/url]

          Of particular note, when referring to the 2004 advisory:

          [i]Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.[/i]

          I read it, did you? Here is the interesting quote:
          [i]The /layout switch will open windows media player in Skin Mode.
          ...
          Of course, the vulnerability is not to open WMP in Skin Mode but it reside in the hability to pass extra command line switches where only one should be accepted.[/i]

          In a world where the MPack authors pay $10,000 for a 0 day IE flaw, you are telling me that no one has been able to figure out how to use something so simple as this? Yes, in 2004, Nicolas detailed how you could open WMP in Skin Mode and in the last 3 years, no one has figured out how to use this to do anything other than open WMP in Skin Mode. There are reasons why and the reason is simple: WMP doesn't have any command line arguments that can do nasty things.
          NonZealot
          • Microsoft knew about the issue since 2004

            so they fixed their junk , but they forgot to tell 3rd party vendors about it . WHY ? Please explain NonZealot , why didn't Microsoft tell 3rd party vendors about this ? Perhaps because Microsoft wanted the world to see that 3rd party vendors make junk , when in effect it's Microsoft products that are junk .
            Intellihence
          • Message has been deleted.

            No_Ax_to_Grind
          • yeah...

            it's not Microsoft's job to do anything to ensure that their operating system is secure...
            jasonp@...
          • If Microsoft is at all concerned with user security,

            it is certainly the firm's ?job? to inform third-party vendors of any and all vulnerabilities in MS products that might require actions on the part of these vendors. That a MS representative like Markellos Diorinos claims otherwise shows the contempt in which users seem to be held by certain segments of the Microsoft hierarchy. On the other hand, it may be the case that Mr Diorinos is the product representative of whom Mike Cox so frequently writes, and has only recently been promoted to a more responsible (?) position. So give him time !...

            Henri
            mhenriday
          • A frightening prospect...

            Here I am with some AGREEMENT with something in a No_Ax post!

            There is no REASONABLE way that MS can checl command lines for 3rd party apps in a meaningful way. There are too many - they can change too quickly - and what is OK for one may not be for another. That is NOT the job for MS.

            My understanding of this problem, though, is that MS passes it along UNCHANGED - not even following the industry standards on escaping quotes and so on. THAT should be fixed - even if the effect propagates down to other MS code counting on this behaviour.

            In other words:

            passing a parameter unchecked: OK and documented
            passing parameter malformed: NOT OK and not in docs

            They should fix the behaviour - but they should NOT have to try to protect all 3rd party apps from themselves either. Think how nice it would be if MS FOLLOWED a standard (that they were in on) rather than 'our way works for us'....
            Freebird54
          • You're clearly not a programmer

            Because if you were, you'd know it's not MS's job to decide what is or is not a valid parameter for a random application.

            The bug was in Firefox and what you're suggesting is that MS should write their OS such that they can tell what type of input parms a program expects.

            When I first read about this a week or so back, I was sure it was MS's mistake, alas it's not.
            notsofast