MS Outlook flaw adds new twist to URI handling saga

MS Outlook flaw adds new twist to URI handling saga

Summary: According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.

SHARE:

MS Outlook flaw adds new twist to URI handling sagaFor months, Microsoft has taken a firm hands-off approach to the URI protocol handling vulnerability saga, shrugging off suggestions that there's a flaw in Windows that needs to be fixed.

Now comes word that two Microsoft products -- Outlook Express 6 and Outlook 2000 -- have joined the growing list of Windows applications that can be used as attack vectors.

According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.

[ SEE: How to configure Internet Explorer to run securely ]

"Microsoft is now affected by [its] own design change," Kristensen said in an e-mail exchange." We hope that Microsoft now chooses the right path and creates a general fix for Windows [or] IE7 rather than start patching all their own applications and ask third party vendors to do the same," he added.MS Outlook flaw adds new twist to URI handling saga

A spokesman for Redmond's security response team said the company is aware of what is described as "a potential issue in the way that Windows handles URLs passed in from other applications.

He also dropped a strong hint that this is something that might require a comprehensive Windows fix.

"Microsoft is continuing its investigation into this issue. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing an update or additional guidance for customers."

[UPDATE: The company has  issued a formal security advisory with more information on the risks.  The advisory does not include any pre-patch workarounds. ]

That's a far cry from this statement from Microsoft in July:

Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.

An updated advisory from Secunia lists the following applications as attack vectors on fully patched Windows XP SP2 and Windows Server 2003 SP2 systems (with IE 7 installed):

  • Firefox version 2.0.0.5
  • Netscape Navigator version 9.0b2
  • mIRC version 6.3
  • Adobe Reader/Acrobat version 8.1 and prior (when opening PDF files)
  • Outlook Express 6 (e.g. when following specially crafted links in VCards)
  • Outlook 2000 (e.g. when following specially crafted links in VCards)

ALSO SEE:

Command injection flaw found in IE: Or is it Firefox?

IE-to-Firefox flaw debate rages: Ex-Microsoft security strategist weighs in

Mozilla caught napping on URL protocol handling flaw

Mozilla fixes its end of URL protocol handling saga

Adobe confirms PDF backdoor

Topics: Security, Browser, Collaboration, Enterprise Software, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • Firefox Folks this is fixed in current verion 2.0.0.7

    nt
    D T Schmitz
  • BS -- it's a FireFox bug.

    MS has investigated the whole story thoroughly, and it's someone else's problem.
    Yagotta B. Kidding
    • Wow!

      Those FireFox people are really good! I mean they can take a fully patched Windows machine, WITHOUT their FF software installed, and compromise it using Adobe software. The article said:

      An updated advisory from Secunia lists the following applications as attack vectors on fully patched Windows XP SP2 and Windows Server 2003 SP2 systems (with IE 7 installed):

      # Netscape Navigator version 9.0b2
      # mIRC version 6.3
      # Adobe Reader/Acrobat version 8.1 and prior (when opening PDF files)
      # Outlook Express 6 (e.g. when following specially crafted links in VCards)
      # Outlook 2000 (e.g. when following specially crafted links in VCards)

      Yep, I removed the line:

      # Firefox version 2.0.0.5

      And it still says the system can be attacked. Wonder how the FF people managed that? ;-)
      Cardinal_Bill
    • Merde. Au contraire...

      [i]"This page lists security vulnerabilities with direct impact on users. All of these vulnerabilities have been fixed prior to the most recent release."[/i]:

      [url=http://www.mozilla.org/projects/security/known-vulnerabilities.html]Read up![/url]

      [url=http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox]More light reading[/url]

      Twist your sister.
      D T Schmitz
    • I asked George and No Axe

      http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=36767&messageID=677036&start=-9939

      [B]It does make one wonder how he will spin the future event IE URL handler spoof launching Office 2007 zero day exploit in the wild into a FireFox problem.[/B]

      I was wrong in my 3 month ago prediction, I selected office, not outlook, but again, there is no fault with IE, there is technically no fault in Outlook, it must be FireFox.

      George, can you elaborate on your thoughts, I remember you getting quite excited with all CAPS stating that there was no MS IE problem. The problem lies 100% in third party apps (rats, turns out MS makes some of them), so the logical solution is to fix this in all 15,123 called apps or the SINGLE app doing the calling?

      TripleII
      TripleII-21189418044173169409978279405827
      • We Know The Outcome :D

        No_Axe won't even show up on this thread. George is far too excited about the OLPC at the moment to comment and even if he did his position will be that IT IS NOT AN IE PROBLEM :)

        Timbo
        TheBoyBailey
      • The logical solution...

        The logical solution is to change the calling sequence so you don't have to create a
        quoted command line then parse it again in the handler.

        Microsoft could just remove the restrictions on the POSIX subsystem so apps could
        make POSIX and Win32 calls, and then use exec(), and deprecate apps that used the
        old nasty Windows command line.

        But no, they're too scared of UNIX/Linux/OSX to get compatible with the rest of the
        world.
        Resuna
    • BS -- it's a Safari bug .

      Remember when all the Windows Shills , and Zealots all came out to Microsoft's
      defense claiming this was not a Microsoft issue . Well guess what kiddos , you can't
      have you cake and eat it to .


      "In a world without walls and fences , who needs windows and gates."
      Intellihence
      • It's a Windows bug.

        Windows URI handling is inherently flawed in two significant ways, one of which was copied by Apple in OS X and one that is unique to Windows.

        * URIs are used for both internal and external purposes, selected from the same list, leaving it up to the calling application to determine if the application handling that URI should be used.

        * Passing parameters to applications in Windows requires that the caller guess how the called application handles quotes.
        Resuna
    • Yeah, but that's M$ that investigated...

      The flaw is only there when IE7 is there, so therefore, there is something wrong with IE7 that caused it.
      kamahl928
  • RE: MS Outlook flaw adds new twist to URI handling saga

    It's been Microsoft's modus for years. If they want to generate more cash flow and keep programmers, marketing, sales, etc., busy, they need flaws to fix, and new versions to produce.

    If they actually had a system that worked flawlessly, the 'subscription' we all buy would no longer be needed.

    If THIS problem isn't Microsoft's, there are plenty of others that are, and it's part of using their products.

    I used to tell my students in marketing classes that if businesses were perfect, new graduates would have very little to offer and would have a tough time getting jobs.

    It's the imperfections in the market that create opportunities.

    A perfect example: Ubuntu and other Linux versions -- They are of interest because of Microsoft's less than perfect systems. If Windows was perfect, it would be the only game in town, and many other companies would be out of business (Symantec, McAfee, Redhat, Sun Microsystems, etc. etc.)
    jeff92677
  • How long will people put up with this kind of thing?

    Windows command line quoting attacks have been with us for at least 10 years.

    Similar schemes have been performed to exploit UNIX applications that use
    "system" or the equivalent to run commands that include text from untrusted
    sourced, and for SQL injection attacks.

    The solution on UNIX is to use exec() rather than system(), which completely
    eliminates the possibility of a command line quoting attack in parameter parsing.

    The solution in SQL is to use prepared statements, which completely eliminates the
    possibility of an SQL injection attack caused by quote misinterpretation.

    The solution in modern Windows would be to use the POSIX subsystem's "exec()"
    call, except that Microsoft isolated the POSIX subsystem from the Win32 subsystem
    to make sure nobody actually used it to write software that was portable between
    UNIX and Windows. There's probably some .NET call that will work for .NET
    applications, and a COM API that will work for COM components, but for most
    Win32 applications these are not reasonable alternatives.

    But Microsoft doesn't need to worry. People will accept whatever bandaids they
    come up with, and forget about this one. After all, they've put up with these kind of
    shenanigans from Microsoft for a decade now... along with the other URI handling
    flaws, the insecurity zones, the legacy network protocols, the lack of a consistent
    mechanism (or any mechanism) to bind applications to interfaces, and the "default
    open" ActiveX and helper application policies...
    Resuna
    • Until Windows is no longer "free"

      Unbundle the price on every PC from the operating system. When everyone sees that Windows is not actually free, three things will happen.

      1) MS will be forced to reduce prices and/or increase quality
      2) Some percentage (Ye would predict 0.0003%, I would suggest 4-5%, growing slowing over the years) will purchase no OS and install Linux
      3) The majority will grumble and take Vista, but it will finally help level the playing field and allow for an actual choice.

      Until, seriously, there is a choice to purchase a computer without the MS tax (no, not the few and far between odd systems from SOME vendors) people really don't have a choice.

      TripleII
      TripleII-21189418044173169409978279405827
      • Microsoft's always made Windows "free" one way or another.

        Even when it wasn't built into the price of the box, they took advantage of the
        pirate domain. They didn't go to heavy-handed DRM to keep you from copying
        Windows until they were sufficiently dominant there was no alternative. If they had
        to unbundle it you'd see WGA start to fade away... because they'd rather you run a
        pirated copy of Windows than run Linux.

        BTW, I read an article recently about an increase in Apple desktop market share
        that was actually interesting from the Linux point of view... because it showed,
        IIRC, 91% Windows and 6% MacOS... meaning Linux and the like (BSD, and the folks
        holding out on OS/2 and BeOS, but mostly Linux) is already at 3%.
        Resuna
  • RE: MS Outlook flaw adds new twist to URI handling saga

    Trust Microsoft to correct probems in a timely fashion, I don't think so.
    Red Elk
  • FireFox with NoScript

    Windows is the real vulnerability. A fine operating system...provided you don't connect it to the internet. Then it's a security freak show.
    Chad_z
    • A freak show, really?

      Well, I want my money back for non-performance. One virus in 10 years on all my systems and that one came from an infected floppy disk from a co-worker back in 2000.

      If it is such a freak show, then I must be missing something... or is it that the non-MS OS fanboys don't know how to secure a Windows box (hint - takes about 15 minutes to completely secure it WHILE connected to the Internet).

      I tend to think it is the latter.
      Confused by religion
      • Really?

        Of course you are running those systems on the internet without a firewall or
        antivirus software, right?

        I've done exactly that with my Macs since 1994. Not a single virus.
        middle of nowhere
        • Doh! Oh here we go with the Apple products...

          (kidding really.)
          D T Schmitz
      • Iiiiiiiiiiiiiiiiiiiii....think NOT Milly!!!

        nt
        D T Schmitz