Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox and IE Still Not Getting Along

Zonk posted more than 7 years ago | from the kids-kids-kids dept.

Security 207

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

cancel ×

207 comments

Sorry! There are no comments related to the filter you selected.

No problem (5, Funny)

Anonymous Coward | more than 7 years ago | (#20000371)

IE is the better browser. Just use that one.

both of these browsers are gay (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20000373)

i use lynx

Re:both of these browsers are gay (0, Funny)

Anonymous Coward | more than 7 years ago | (#20000425)

Lynx is a furry, though. Would you rather be gay or a furry?

Re:both of these browsers are gay (-1, Flamebait)

Dahan (130247) | more than 7 years ago | (#20000731)

Lynx is a furry, though. Would you rather be gay or a furry?
Huh? There's no dichotomy possible--all furries are gay. Hence the command, "YIFF IN HELL FURFAGS"

Re:both of these browsers are gay (0, Redundant)

fr4nk (1077037) | more than 7 years ago | (#20001055)

I use the modem that is built into my brain for browsing the web. I call my ISP's dial-up number with a phone, receive data with my ears and send packets through my mouth.

Just like that robot chick from Terminator!

bug database (-1, Troll)

Frizzle Fry (149026) | more than 7 years ago | (#20000385)

Mozilla is leading because they have a bug in their bug database? So the summary is claiming that MS does not have a bug in their bug database? How would you know this?

Re:bug database (3, Informative)

Anonymous Coward | more than 7 years ago | (#20000437)

Mozilla is leading the race to a patch as they have a PATCH in their bugzilla database.

Re:bug database (5, Interesting)

Alwin Henseler (640539) | more than 7 years ago | (#20001201)

Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.

Re:bug database (0)

Anonymous Coward | more than 7 years ago | (#20001963)

....so I think right there it's proven that it's IE's fault.

Firefox FTW!

Re:bug database (4, Informative)

PinkPanther (42194) | more than 7 years ago | (#20000439)

No, read the synopsis again:

Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database.

They are leading the race for a patch. They have one (PATCH) ready in their database.

Re:bug database (0, Offtopic)

ThisIsWhyImHot (1121637) | more than 7 years ago | (#20000775)

Let's pray Robin Williams doesn't make a "Patch" Adams 2.

Re:bug database (1)

Bill, Shooter of Bul (629286) | more than 7 years ago | (#20001997)

Same difference. I'm sure microsoft is also looking into the problem. Being who they are and what they do, they don't usually allow people to monitor the progress of their security fixes. I'm not mozilla won't be the first to patch, but its sort of like trying to decide if the red snapper is better than what ever is in the box that Hiro-San is bringing down the aisle right now.

Re:bug database (0)

Anonymous Coward | more than 7 years ago | (#20000451)

lurn to reed honi!

it sez mozilla's already got a PATCH darling...

Didn't work in seamonkey (1)

splatter (39844) | more than 7 years ago | (#20000493)


Using XP sp2 with seamonkey 1.1.1 and none of the links worked.

No Microsoft Software has Bugs (2, Funny)

Cassini2 (956052) | more than 7 years ago | (#20000499)

Microsoft software does not have bugs. They have "undocumented features". It is a feature that Internet Explorer 7 works this way. When properly embraced, it extends the operating system with new features, and extinguishes all problems.

Be positive about these features!!! :-)

Re:No Microsoft Software has Bugs (0)

Anonymous Coward | more than 7 years ago | (#20000965)

nice try, i almost laughed..almost

Re:bug database (0)

Anonymous Coward | more than 7 years ago | (#20001049)

I thought all Primus fans were somewhat educated readers...

Obviously firefoxs fault (5, Funny)

SolusSD (680489) | more than 7 years ago | (#20000409)

All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

Re:Obviously firefoxs fault (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20000581)

It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input.

If I create a URL that manages to get Firefox to tell Windows to run a command, how is that Windows' fault? Firefox is the one that told Windows to execute the command, Windows just did what Firefox told it to do.

Re:Obviously firefoxs fault (2, Funny)

Selfbain (624722) | more than 7 years ago | (#20000601)

So it was just following orders you're saying. I'm not sure that defense works.

Re:Obviously firefoxs fault (5, Funny)

jez9999 (618189) | more than 7 years ago | (#20000629)

Browser: "Feed that dog."
OS: *gets out gun and shoots dog dead*
Browser: "WTF? What did you do that for?"
OS: "You told me to."
Browser: "I told you to feed it!"
OS: "Yeah, I changed the definition of that yesterday to 'shoot dead'."

Re:Obviously firefoxs fault (3, Insightful)

brunascle (994197) | more than 7 years ago | (#20000655)

Firefox is the one that told Windows to execute the command
except, a URI with a scheme of mailto, nntp, news, or snews does not tell Windows to launch a command. it tells windows to open the application that handles that scheme and give the URI to that application. what the application does is up to the application. if calc is loaded, there's either a bug in Windows or the application that handles the scheme.

Re:Obviously firefoxs fault (1)

Applekid (993327) | more than 7 years ago | (#20000947)

Problem is that in windows "launch a command" and "open application referenced in the registry" need not be two different things. The default handler for mailto, for example, could be set in the registry to "shutdown -s -f -t 0"

Then again, if you open a mailto link and Malicious App 2.0 opens, you've ALREADY been compromised by Malicious App 1.0, already on your system, having modified your registry. With those kind of permissions, whatever payload Malicious App 2.0 has could have been done anyway by Malicious App 1.0.

Re:Obviously firefoxs fault (5, Funny)

TrebleMaker (628707) | more than 7 years ago | (#20002039)

for example, could be set in the registry to "shutdown -s -f -t 0"
Honestly, I read that as "shutdown -s -t -f -u" the first time.

and so on and so forth (1, Insightful)

twitter (104583) | more than 7 years ago | (#20001123)

and the problem does not exits for Firefox before "upgrading" to IE 7 or on other platforms because M$ has yet to force sane user and privilege separation and on and on. Is there any way this could be anything but a M$ problem?

First time? (1)

Futurepower(R) (558542) | more than 7 years ago | (#20001597)

IE 7, new software from Microsoft, just happens to cause problems with other software that competes with Microsoft.

Has that ever happened before?

Re:Obviously firefoxs fault (3, Interesting)

SolusSD (680489) | more than 7 years ago | (#20000679)

executing a program is one thing-- allowing the installation and execution of a virus is another.Since most windows users run as admins it is enough just to gain some access to the user's account (maybe through firefox) to install malicious code. Of course, as the article suggests, the "bug" only exists when IE7 is installed.
also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

Re:Obviously firefoxs fault (4, Insightful)

miffo.swe (547642) | more than 7 years ago | (#20000795)

"It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input." According to your masters its the receiving application that should do the sanity check. There was a rather heated debate on this a while ago when it was IE who forwarded malicious URLS to Firefox. Also, Firefox told IE to open an URL for all it knows, not some random application. The error is in IE7 no matter how you spin it. Dont forget any application besides Firefox can forward this kinds of URLs to IE7. In short any application you use that connects to web pages is a threat to IE7.

Re:Obviously firefoxs fault (2, Informative)

Anonymous Coward | more than 7 years ago | (#20000903)

Oh please. You're wrong.

The Firefox bug was essentially that it was receiving URLs like "firefoxurl: -chrome javascript:alert('Oops.')" and then, instead of interpreting the URL as a URL it was interpreting it as a command line. This is clearly Firefox's fault - they configured IE to pass Firefox all URLs that start with "firefoxurl:", but neglected to tell IE that it should inform Firefox that it shouldn't emulate a UNIX shell when receiving the URL.

This is why almost all UNIX commands have that helpful "--" option, to suppress further option parsing. In fact, the Firefox fix was essentially to add that feature. They named it something braindead, but essentially they told IE that instead of executing "firefox.exe %s" it should execute "firefox.exe -- %s". Keep in mind that in Windows, the command line is not parsed, it's given directly to the command to parse as it wants.

Now contrast it with this case.

Firefox is giving URLs with INVALID CHARACTERS to Windows, and Windows is treating them as best it can, which can be exploited.

If Firefox were properly handling the URLs and not including invalid characters, this problem wouldn't be happening.

Re:Obviously firefoxs fault (4, Interesting)

mhall119 (1035984) | more than 7 years ago | (#20001227)

Since the URL's have the same effect if they are launched from the Windows Start menu, and presumably from any application that passes URLs to Window's URL handler, I don't see how this is Firefox's fault. Combine that with the fact that the URL is valid (%00 is valid URL encoding), and the fact that the flaw only exists when IE7 is installed, and you have a very hard time blaming Firefox for this.

That said, I completely agree with you on the firefoxurl: flaw.

Re:Obviously firefoxs fault (3, Insightful)

140Mandak262Jamuna (970587) | more than 7 years ago | (#20001285)

Why should the browser be able to run privileged commands on the OS? Why should it have access to anything other than the cache directory?

Re:Obviously firefoxs fault (1)

man_of_mr_e (217855) | more than 7 years ago | (#20002087)

Why should it have access to anything other than the cache directory?

So where should downloaded files go? In with all the other cache files?

Re:Obviously firefoxs fault (1)

Blakey Rat (99501) | more than 7 years ago | (#20000885)

Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

What makes you think there's any overlap in the IE team and the Windows team? Out of curiosity. I think people who say things like this don't realize how huge Microsoft is. They have something like 70,000+ employees.

Re:Obviously firefoxs fault (1)

SolusSD (680489) | more than 7 years ago | (#20000941)

it isn't too much to ask for an internal programming team to know how to correctly use APIs the company developed. It *is* pathetic when they make mistakes like this. Just because they are big doesn't mean they have an excuse to be unorganized-- though having that meany employees is usually a consequence of being unorganized, and for that matter, usually makes things worse.

Re:Obviously firefoxs fault (1)

Shados (741919) | more than 7 years ago | (#20001425)

Im not quite sure you are aware of how much API microsoft developed... I don't think its humanly possible, honestly. And each of those APIs are quite large, and projects can touch quite a few. Learning 80% of the ones they're touching? Yes, definately. Learning 100%? Thats just not realistic.

LOL (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20000455)

As firefox begins to suck more and more, it becomes Microsoft's fault.

Re:LOL (0)

Anonymous Coward | more than 7 years ago | (#20000675)

As firefox begins to suck more and more, it becomes Microsoft's fault.
There's only so much an application can do to stop the underlying OS from sucking.

I don't have IE7.. (1)

the_rajah (749499) | more than 7 years ago | (#20000465)

on my Ubuntu machine or my Mac, you insensitive clod!

Actually, I don't have it on my XP-Pro SP2 machine I use to run Quickbooks, either.

Solution: DON'T INSTALL IE7 (0, Troll)

Filter (6719) | more than 7 years ago | (#20001231)

Solution: DON'T INSTALL IE7

Re:I don't have IE7.. (0)

Anonymous Coward | more than 7 years ago | (#20001361)

So you only use Windows for Quickbooks? Two words: Virtual Machine. I like VMWare Fusion on my Mac, myself.

Errr (2, Insightful)

ilovegeorgebush (923173) | more than 7 years ago | (#20000487)

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.
What, sort, of, sentence, is, that?!

Re:Errr (0)

Anonymous Coward | more than 7 years ago | (#20000585)

Leave, him, alone,. He, has, comma, fetish,.

Re:Errr (2, Funny)

GreenEnvy22 (1046790) | more than 7 years ago | (#20000595)

I believe that would be one from the William Shatner school of grammar.

Re:Errr (1)

snowgirl (978879) | more than 7 years ago | (#20000609)

I thought that the sentence was generally unnecessary, also. Yes, geeks will understand it, yes slashdot is targetting geeks... but why should we be acting so damn pretencious?

Re:Errr (1)

camperdave (969942) | more than 7 years ago | (#20000611)

I agree. It sounds like the users should be elucidating which URIs are superfluous, whereas it was probably intended that the author be the one doing the elucidating.

Re:Errr (1)

andawyr (212118) | more than 7 years ago | (#20000639)

A perfect demonstration of the incorrect usage of the comma.

Re:Errr (1)

east coast (590680) | more than 7 years ago | (#20000745)

A perfect demonstration of the incorrect usage of the comma.

Absolutely, but it, could, be, wor,se.,, I, gues,s,.

Perfectly Fine (1)

cromar (1103585) | more than 7 years ago | (#20000643)

A sentence with several phrases separated by a profusion of commas - and one hyphen :)

Yea, pretty much. (2, Funny)

SatanicPuppy (611928) | more than 7 years ago | (#20000663)

Worst sentence I've read in a while, and during lunch I had to listen to a friend copyediting some weenie who routinely left out the verbs in his sentences.

Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactly what you're doing.

How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."

Re:Yea, pretty much. (1)

Shimdaddy2 (1110199) | more than 7 years ago | (#20000797)

Ironic, then, that you would use dross in your response. Isn't it a rarely used word as well? Or were you just flexing your e-penis?

Re:Yea, pretty much. (4, Funny)

SatanicPuppy (611928) | more than 7 years ago | (#20000957)

Actually I was being ironic on purpose. I guess I feel like I have to prove that I'm not against their word choice simply because their bombastic verbiage outstrips my linguistic comprehension, but rather because their grandiloquent ostentation obfuscates their actual meaning. (---E-penis +10 bitches! ;)

Never understood the obsession with big words. The point is to be understood, right? There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Re:Yea, pretty much. (3, Insightful)

stonecypher (118140) | more than 7 years ago | (#20001691)

There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.
Yeah, because if there's one thing that makes language easier to understand, it's changing your usage of a word depending on to whom you speak. Did it occur to you that the root of the problem is your fix? The only reason these people don't know these words is because other people around them are wrapped up in the fantasy that language is defined by usage, and that therefore it is somehow correct to be incorrect.

If you'd just speak formally _all_ the time, that'd be one less source of confusion for the unwashed masses. It turns out these things aren't inbuilt; they have to be learned from exposure. By denying exposure in the desperation to be understandable, you rob them of the chance of understanding in the long term.

Re:Yea, pretty much. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20001899)

I don't think it's "dumbing down" to try and convey your idea in a form that will be understood by the majority of people...That's the goal, right? I don't have to shoehorn in a big word if I can convey the same idea with two more common words. The worst is when the larger word is actually less appropriate to your meaning than the smaller word (as in the summary), so you're actually warping your idea just so you can use a big word.

In a situation where there really is one word that really conveys the exact meaning, and there is no other word that will do in that situation, you've got to use the big word.

But that doesn't happen very often.

Re:Yea, pretty much. (0)

Anonymous Coward | more than 7 years ago | (#20000971)

How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."

Better yet: "The author suggests removing unnecessary resource handlers, but he doesn't say which ones are unnecessary."

Re:Yea, pretty much. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20001013)

Oooo yea, that's better. Killed the passive "In the authors opinion." Not even sure "deregister" is a word, killed the annoying acronym, and the "however" crap is a weakness of mine.

Re:Yea, pretty much. (0, Offtopic)

ShieldW0lf (601553) | more than 7 years ago | (#20001061)

How about this?

Some of us have a vocabulary.

We use more unusual words because they more precisely express what we're trying to communicate.

We don't think "What's a smarter-sounding word for 'clearly explain'?". We think "elucidate".

We actually think in these "big words" because we thoroughly understand them and they express what we're trying to say.

Why don't you grab a dictionary and educate yourself instead of throwing stones at your betters and revealing that you don't belong among them?

Re:Yea, pretty much. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20001383)

I don't feel a need to use my vocabulary as a bludgeon against people who I believe to be intellectually inferior to myself. When I string words together, I'm not just talking to my linguistic equals, I'm talking to anyone who may happen to read what I've written.

I do this because my goal is to convey information clearly, to elucidate, as it were. It is in no way my intention to cloud my point with words that most English speakers won't clearly understand, not to mention all the people here whose primary language is not English.

If you think a huge vocabulary is a sign of intelligence, you're wrong. It's merely a sign that you have a large vocabulary. It may make you better at Crosswords and Scrabble, but that's about it. By constantly using a word like "elucidate" when you could as easily say "conveys clearly" or even, in this case, using the word "say."

A sentence like the one in the summary would be unacceptable in any job where clear, meaningful writing was required. It's also ugly, so it's hardly suited to more artistic writing. So what exactly is the point of crafting such a piece of impenetrable prose? Self-aggrandizement, and nothing more.

Re:Yea, pretty much. (0)

Anonymous Coward | more than 7 years ago | (#20001101)

Three seperate comma seperated subclauses in the sentence.
Teehee.

Re:Yea, pretty much. (0, Offtopic)

Control Group (105494) | more than 7 years ago | (#20001203)

Hyphens are easy to use well, as in "short-sighted," or (not often applicable online) when a word will not fit on the current line.

Em dashes (or em rules, depending on to whom you're speaking) are indeed a little trickier, but they aren't exactly NP-hard. The em dash can be thought of as a pause in the sentence, stronger than a comma, but weaker than a parentheses. One wouldn't be far off base thinking of it as similar to a colon - though the two aren't perfectly interchangeable, of course.

Frankly, I don't see a problem with the use of the em dash in the submission.

On the other hand, you're right about the overall quality of the submission. "Elucidate" is far from a necessary word choice; one could even argue it's not even the right word to begin with. The ambiguous predicate clause, which seems to say the users shouldn't elucidate which are superfluous is very poorly written.

Your suggestion is much better, except that it should be: "In the authors' opinion, users should deregister all unnecessary URIs. They do not, however, give instructions on how to do so."

(By preference, I would have kept it as one sentence separated by a semicolon, but I have an illicit love affair with sentences that are too complex; I have a peculiar weakness for the semicolon in particular)

Re:Yea, pretty much. (1)

Mattwolf7 (633112) | more than 7 years ago | (#20001435)

"But do not use semicolons. They are transvestite hermaphrodites, standing for absolutely nothing. All they do is show you've been to college." -KV [inthesetimes.com]

Re:Yea, pretty much. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20001529)

As far as I'm concerned the AC above won the thread with: "The author suggests removing unnecessary resource handlers, but he doesn't say which ones are unnecessary." Short, active voice, very clear.

Agreed on the "-"; it was actually used in a valid way, but the sentence was moving into run-on territory, and needed to be stopped (As you can see, I love the ";" as well).

The word choice was by far the biggest problem, in my opinion. The desire to use a fancy word should never overcome the need to be understood...Unless you're James Joyce, or Thomas Pynchon, where being understood isn't the point.

Re:Yea, pretty much. (1)

cromar (1103585) | more than 7 years ago | (#20001531)

Semicolons are TOTALLY sweet; they are AWESOME.

Re:Errr (0)

Anonymous Coward | more than 7 years ago | (#20001953)

Did you REALLY find that hard to understand?

!Root (4, Funny)

rustalot42684 (1055008) | more than 7 years ago | (#20000501)

Maybe if they weren't running as root *all the time*, they wouldn't have so many problems.

Re:!Root (0, Troll)

Himring (646324) | more than 7 years ago | (#20000961)

How is parent offtopic? Truly, the vast majority of security woes in Windows is due to the entirely asinine practice instituted by microsoft ages ago wherein root is assumed. This has created both the hallofshame for applications that cannot work without it, and a useless registry entry for anonymous network access wherein, if changed to anything but default (where anonymous access across the network is wide open) then things just stop working in windows networking -- tiny things like, you can no longer see other computer or change your password or get to shares on servers....

If only mod points went to only the really technical member of /.

reponsability (1)

brenddie (897982) | more than 7 years ago | (#20000509)

The question of who is responsible for this vulnerability is again likely to be the subject of heated debate. In the previous cross browser vulnerability, Internet Explorer was passing crafted URLs to Firefox. In that case, the IE team denied all responsibility, stating that, "It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters." If this is the case, then it would be Microsoft rather than Mozilla who find themselves forced to make the next move in remedying the unsafe behaviour.


At least the firefox team is not crossing their arms and shifting the blame back to IE, they are actually doing something to help solve the problem.

Didn't work for me... (4, Funny)

supremebob (574732) | more than 7 years ago | (#20000515)

I tried this on my computer, and the mailto: tag ended up getting redirected to my GMail account. Thanks, Google Toolbar!

Once again, Google saves the day! Is there nothing that Google can't do? :)

Re:Didn't work for me... (1)

ZachMG (1122511) | more than 7 years ago | (#20000853)

this isn't anything new, in my webdesign class we were taught this out of a text book to "integrate our sites" into the users experience. Seriously.

Re:Didn't work for me... (0)

Anonymous Coward | more than 7 years ago | (#20000893)

Google cannot pity foo's as well as Mr T, and cannot roundhouse kick like Chuck Norris.

Re:Didn't work for me... (1, Funny)

Anonymous Coward | more than 7 years ago | (#20001473)

Is there nothing that Google can't do? :)

Alas, it can't get me laid =(

Maybe worth noting... (1)

WhiteKnight07 (521975) | more than 7 years ago | (#20000525)

Only the one at the very bottom, listed as requiring user interaction, functions in Seamokey and succeeds in launching windows calculator. The mailto: one starts Seamonkey's mail and newsgroups. All the others just bring up an address not found error page.

Once again, the obvious solution..... (1)

Farfnagel (898722) | more than 7 years ago | (#20000531)

...is to not use Microsoft Crapware.

well.. (1, Flamebait)

spotlight2k3 (652521) | more than 7 years ago | (#20000561)

If using firefox, is there really a need to have ie7 installed anyway?

Re:well.. (4, Informative)

supremebob (574732) | more than 7 years ago | (#20000617)

If you're a Windows Vista user, you don't really have a choice. It comes pre-installed if you want it or not.

XP too. (1)

twitter (104583) | more than 7 years ago | (#20001185)

Is there any way to avoid IE7 if you are an XP user? I thought it was a forced "update" that had to be installed, unless you are a big company with your own special hell of updates and patches.

Re:XP too. (0)

Anonymous Coward | more than 7 years ago | (#20001319)

Just make sure you don't have auto updates set to auto download and auto install. You can then choose to not install IE7.

Re:XP too. (1)

Gr8Apes (679165) | more than 7 years ago | (#20001903)

Try Control Panel->Administrative Tools->Services->Automatic Updates, right click, press the Stop button if it's enabled, and then set the Startup Type to Disabled.

One of the first things I do with a new Windows box.

Not the end of the story (1)

ImaLamer (260199) | more than 7 years ago | (#20001275)

Don't worry you can easily remove IE7 from Vista:

1. Download an Ubuntu Live CD
2. Install Ubuntu
3. ....
4. Profit!

After receiving a new laptop with Vista I found that it could take up to five minutes for the machine to be usable from a cold start. It is the first time I've used Linux for anything other than serving up web pages (or other network service) and I'm in love all over again.

Re:Not the end of the story (1)

KarmaMB84 (743001) | more than 7 years ago | (#20001677)

The theory is that you can either hibernate or standby the machine and bring it up lightning fast. Hibernate actually shuts the entire machine off and restores when you boot it back up so until the machine starts acting wonky and needs an OS restart, there's no reason to do a full shutdown.

Re:well.. (1)

moore.dustin (942289) | more than 7 years ago | (#20000635)

Yes. It is nice to be able to keep some tabs open overnight and not have to force quit FF to free up the memory and start a new session. I do not know about you, but a 900MB memory footprint after 2 days seems... well it seems just a tad excessive.

Re:well.. (1)

Embedded2004 (789698) | more than 7 years ago | (#20000769)

Yeah I use FF exclusively and the need to restart the browser daily does get annoying.

Sometimes it is either a memory hog or somehow gets stuck on 99% CPU usage.

Re:well.. (1)

spotlight2k3 (652521) | more than 7 years ago | (#20000997)

Really? I have my FF up for at least a week most times before i restart it and usually my kid does that by hitting the reset button (3 yr old). Never have had a memory problem.

So the solution (1)

piratesyarr (1117287) | more than 7 years ago | (#20000619)

is to uninstall IE7? That's easy. I never installed it in the first place.

Not just Firefox. (5, Informative)

miffo.swe (547642) | more than 7 years ago | (#20000685)

Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).

Re:Not just Firefox. (5, Informative)

KiltedKnight (171132) | more than 7 years ago | (#20001051)

Based on what is said in TFA, if you pass the specially crafted URI into the Start->Run box, it will produce the same results.

This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.

This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.

Re:Not just Firefox. (1)

Keeper (56691) | more than 7 years ago | (#20001949)

It doesn't have squat to do with null bytes (you don't need a null byte in the URI to trigger an exploit); it has to do with how Firefox specifyies its URI handler and how it parses command line input.

Re:Not just Firefox. (4, Funny)

griffjon (14945) | more than 7 years ago | (#20002105)

as stated in the article. It's the handling of the NULL (%00) byte.

At the risk of abusing a double negative, Windows can't even do nothin' right.

Re:Not just Firefox. (1)

Keeper (56691) | more than 7 years ago | (#20001119)

Really? So you're saying that IE7 should parse and sanitize input for an unknown/undefined URI? How would you propose that be done? Wouldn't that be something that, say, the URI handler ought to do? You know, the thing that actually knows what the URI is and what content it should have? Nah, easier just to say it's IE's fault...

Firefox? (0)

Anonymous Coward | more than 7 years ago | (#20000693)

I use to keep that installed to look for page consistency issues when doing some minor web design. But no more! That Firefox crapware is coming off today!

My vote : (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20000703)


Fuck Microsoft [whitehouse.org] .

Survey says - "All of them"? (4, Insightful)

pla (258480) | more than 7 years ago | (#20000787)

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".

If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.

Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.

Re:Survey says - "All of them"? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20001317)

Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.
You are a slobbering faggot. Period.

Kinda cool (5, Insightful)

d3ac0n (715594) | more than 7 years ago | (#20001015)

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

Re:Kinda cool (1)

Cajunator (572036) | more than 7 years ago | (#20001269)

(You will have to copy-paste it as the Slashdot filter prevents the links from working.)
Yea! Slashdot is my new proxy for malicious hyperlink protection!!

Microsoft's fault, yet again. (0, Flamebait)

Zekasu (1059298) | more than 7 years ago | (#20001093)

Clearly, the fault lies in Microsoft's IE7. Why? The problem comes from IE7, not Firefox. I don't know, but the last time I checked, Internet Explorer was integrated into the Windows Shell, laying room for much potential harm.

My point being? If you have the plugin installed that allows Firefox to utilize ActiveX by running and instance of Internet Explorer in it, and someone has an ActiveX exploit on their page, which browser is liable to fix the vulnerability? Internet Explorer, obviously. Will they do it in a timely manner? Most likely not.

IE7 is safer than Firefox. (0)

Anonymous Coward | more than 7 years ago | (#20001241)

IE7 is safe - clicking on test links brings nothing.

Imho, ie7 is must safer than firefox:
Try http://bad.on.nimp.org/ [nimp.org] [WARNING: hard porno content] - it's kind of a joke page...
It tries to launch irc/mail/video/etc.
On ie7 (security settings set to High, js enabled) - nothing happens. Just one photo+security warning.

Firefox launches video player, irc, and crashes (this is something like forkbomb...).
To view page without 'suprise' you have to switch js off.

Warning - this 'works' even on firefox on linux.

So maybe it's rather firefox's security problem?...

If IE7 is to blame, why isn't IE7 vulnerable? (2, Insightful)

StonyUK (173886) | more than 7 years ago | (#20001347)

If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.

Fortunately there is a patch (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20001543)

And you can download it here [ubuntu.com]

Possible Workaround (2, Informative)

BlakeReid (1033116) | more than 7 years ago | (#20001877)

FTA:

The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs [mailto] still work.


Looks like http://noscript.net/ [noscript.net] will cover you if you're looking for a temporary fix.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?