[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Roger A. Grimes writes:

> The applications in question are accepting abitrary input and not 
> validating correctly.

No -- they are handing the input over to the operating system -- which is 
a reasonable thing to do for things that start with mailto|htpp|...

> How is that a Microsoft or Windows problem? 

Ok, so just Microsoft and Windows: 



in "Start/Run"

1) on a system with Windows XP and IE6. Outlook Express is executed as 

2) now do the very same thing on a system with Windows XP and IE7. 
calc.exe is executed.

3) Now do the very same thing on a system with Windows Vista. You get a 
"... could not be found"

No 3rd party software involved, just Microsoft and Windows -- three 
different reactions. That is not what I would call a reliable and therefor 
secure basis for applications.

You can propably argue in favour of any of those reactions -- but not for 
all of them.

bye, ju

Juergen Schmidt    editor-in-chief    heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@xxxxxxxxx
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970