Fog Creek Software
Discussion Board




Mozilla Flaw Runs Arbitrary Programs

http://www.eweek.com/article2/0,1759,1621451,00.asp

There is actually some interesting points that one can learn from this event:

* Security of open source “by design” is no better then closed.

In other words, the decisions and general coding practices that the developers make/choose during the coding processes are NOT more secure then closed source.

In fact, if you use IE, then you get a “save/as” prompt, where as in Mozillina you GOT NO PROMPTS!

In fact, since you do geta  "save/as", then MS is considering the issue, but may NOT issue a fix.

Again, my point here is about DESIGN DECSIONS made during the process.

Further, if you have the new windows SP2, then the flaw does not even run, or work at all.

This shows me that MS is getting security right on the money. Both office (outlook) and windows have had substantially upgrades in the security area. (when is the last time we heard about a outlook script virus?).

MS is hammering away at security until hey get it right (like the new xp udpate..the flaw does not even work!).

Likely in 1 years time, windows security will be FAR better then it is now. Soon, I predict that security issues will diminish to a small trickle. and actually become a distant memory in our minds.



Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Tuesday, July 13, 2004

I predict a flamewar coming up.

But in all seriousness.  Security is something the Open Source world is not going to be able to validly bash Microsoft about too much in coming years (though up until very recently they did have a point). 

Of course, many of them still will, just as they continue to crack BSOD jokes even though Windows 2000 and above are among the most stable platforms I've ever done day to day development on (and this includes SunOS/Solaris, Irix, AIX running on RS/6000 boxes, etc).

It is somewhat amusing that the prevailing wisdom has always been that the more marketshare Microsoft gets, the less they'll spend on things like improving the OS, making things more secure and reliable, when the opposite has shown to be true.  Microsoft's own management seem to be among the few who understand that standing still is never good in the computer industry, no matter how much market share you have, lest you travel down the road of IBM in the late 80s/early 90s.

Mr Fancypants
Tuesday, July 13, 2004

Well, in all fairness, there already is a patch out there for it.  When will IE fix its security bugs?

Unix2M$
Tuesday, July 13, 2004

2 points:

1)  The fix was available very quickly

2)  I get the fix as a single patch we I can apply in 2 seconds.  I don't have to install a whole service pack which may contain stuff I don't want.

Ged Byrne
Tuesday, July 13, 2004

Ged beat me.

muppet from madebymonkeys.net
Tuesday, July 13, 2004

And the attack only works because of known and unpatched vulnerabilities in Windows.

Tom H
Tuesday, July 13, 2004

The Mozilla flaw was fixed very quickly (hooray for Mozilla, my favourite browser).

However,  if you take a browse thru Bugzilla, you see that this problem was identified about 2 years ago and at one point was labeled as "won't fix" by the developers.  Not so good.

Rammalamma Dingdong
Tuesday, July 13, 2004

Albert - Why would start a security patch argument *today* of all days?

http://www.microsoft.com/security/bulletins/200407_windows.mspx

Greg Hurlman
Tuesday, July 13, 2004

I think if Microsoft's even *possibly* at fault for anything here, it's because my assumption as a browser author might be that any external program that actively registers a protocol ("itms:", "aim:", "irc:", etc) with the system would know how to safely deal with any (untrusted) data sent to it.  "Shell" doesn't fit that assumption, which would make it somewhat Microsoft's fault if they had told me to make the assumption in the first place.

But a design that makes more sense is the "whitelist" method in which a protocol is only externally relegated if the *browser* was actively told to do so (such as by iTunes's installer).

The "shell" protocol isn't a broken idea in the first place, it's just not something that the browser should allow unless explicitly instructed.  Which is exactly how IE under SP2 and the new Mozilla releases handle it.

Pierce
Tuesday, July 13, 2004

>>the Open Source world is not going to be able to validly bash Microsoft about too much in coming years"

How true.

This is, unfortunately, an area where the Open Source zealots have their heads buried firmly n the ground.  As OSS programs like Mozilla and Linux become more widely used, they will be targeted more frequently.  If  Mozilla (or any OSS program) had the 96% market share of Windows,  it would be targeted relentlessly by the many thousands of malware programmers out there. 

While it's true that Windows in general (and IE in particular) has many flaws that are due to sloppy programming and/or bad design decisions,  no software is perfect.  If you poke and prod ANYTHING long enough, you'll eventually find a hole.

Rammalamma Dingdong
Tuesday, July 13, 2004

Before all of us Mozilla/Firefox users pat ourselves on the back, it's worth noting that this bug was opened in 2002.

It was temporarily covered up with a blacklist of known unsafe protocol handlers, and only recently fixed with a whitelist system that only allows known safe handlers.

It may have been a quick turn around time between when most people heard about it and when the fix was issued, but it wasn't like the hole was only there for a short time.

Kevin
Tuesday, July 13, 2004

boom-chicka-wow-wow

muppet from madebymonkeys.net
Tuesday, July 13, 2004

"* Security of open source “by design” is no better then closed. "

However since Mozilla is not part of the f'ing operating system there is a hell of a lot less that can be exploited.  So you take one buggy C application and mainline it into the OS and you've magnified your bugs by several orders of magnitude.  Mozilla does no such thing.

You MS fanboys rally round your own kind and stay in denial.  You can't fool all of us all of the time - hence the MS stock price has stagnated.

.net, the equivalent of MS Bob.
Tuesday, July 13, 2004

"And the attack only works because of known and unpatched vulnerabilities in Windows."

Oh that is too rich.  OSS is at fault because they have a hole that is only a security problem because of the OS.

Back to the drawing board MS Fanboy's.

.net, the equivalent of MS Bob.
Tuesday, July 13, 2004

Pretty clearly mozilla was doing the "right-thing" by passing unhandled protocols to the OS to handle.  The facility in the OS is there to be used.

Almost Anonymous
Tuesday, July 13, 2004

"If you poke and prod ANYTHING long enough, you'll eventually find a hole."

God, with that defeatist attitude I hope you don't work for my bank, or for any organization where security matters. (Correlating story - at one firm I advocating switching SQL Server to integrated authentication alone, turning off mixed-mode, thereby enforcing password complexity requirements, allowing for account lockouts, rendering connection strings unclassified, etc. A coworker, sadly in a management position and with no knowledge of delegation or impersonation, retorted that it was useless anyways, because the hackers would just hack in and toggle the authentication bit. I've never forgotten this hilarious exchange. "Security? What's the point!").

"If  Mozilla (or any OSS program) had the 96% market share of Windows,  it would be targeted relentlessly by the many thousands of malware programmers out there. "

This has been rehashed a million times - Apache has a far greater market saturation than IIS, running many high value sites, yet it has suffered _dramatically_ fewer exploits (and the impact of those exploits has been significantly reduced. This is despite the fact that hackers can pour over the code to look for holes, unlike MS code where MS shat their pants over the security implications when parts of the source were release recently). Oracle and DB2 both have larger or comparable market saturations with SQL Server  - How many Oracle or DB2 worms are you aware of?

The sad reality is that for many years Microsoft put security as a "would be nice" feature in a rush to bring features to sell the next version of X. The reality is also that the pressure of Linux/OSS has largely been responsible for Microsoft security initiatives. Just as you have imports to thank that your domestic car is fairly reliable today, Windows users (such as myself) can thank Linux and other competitors for the vastly increased stability and security of Windows as of late.

Sidenote: Windows versus Mozilla isn't the benchmark of closed versus open source security - there are a tonne of closed souce products that are absolutely rock solid.

Dennis Forbes
Tuesday, July 13, 2004

"Pretty clearly mozilla was doing the "right-thing" by passing unhandled protocols to the OS to handle.  The facility in the OS is there to be used. "

What if the code passed <img src="del c:\windows\*.*"> to the OS?  I mean, the delete facility is there to be used, right?

Kevin
Tuesday, July 13, 2004

Firefox also checks for updates, so it sort of patches itself.

What I'm curious about is in the Advanced tab:

Software Update
- Allow websites to install software

I saw it & immediately unchecked it.

www.MarkTAW.com
Tuesday, July 13, 2004

"What if the code passed <img src="del c:\windows\*.*"> to the OS?  I mean, the delete facility is there to be used, right?"

You're not serious are you?  That's a pretty lame attempt at an argument. 

You know, viruses wouldn't propagate at all if the OS didn't provide socket connections.  In fact, we wouldn't have SPAM either or pop-up ads.  I say we shouldn't allow programs to open up network connections at all.  Problem solved.

Almost Anonymous
Tuesday, July 13, 2004

Don't you hate the way an initial discussion about the merits of OSS software as improved security becomes Microsoft vs Linux.

The bug was spotted 2 years ago!!!!!!  The many eyes worked, but not so may fingers to do the typing.

So for the last two years they've been arguing over whose but it is, and then finally released the patch when an exploit appeared in the wild.  Is that right?

My faith in OSS weakens a little.

Ged Byrne
Tuesday, July 13, 2004

Does anybody have a link to the Bugzilla entry?  I think it would make interesting reading.

Ged Byrne
Tuesday, July 13, 2004

Ged

http://www.eweek.com/article2/0,1759,1621451,00.asp
->
http://update.mozilla.org/extensions/moreinfo.php?id=154
->
http://bugzilla.mozilla.org/show_bug.cgi?id=250180#c0

====Description:  [reply]       Opened: 2004-07-07 06:46 PDT

User-Agent:      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

This notice covers BOTH a security concern and a DOS.  1)Using the "shell:"
prefix in addresses on a windows PC allows access to the local file system.
AFAIK all shell shortcuts in IE will also work in mozilla.  Addresses such as
"shell:cookies" passes the call to explorer and it shows the desired location.
Address to individual files or cookies are handled by Mozilla and treated as a
"file:" protocol.  While I have not looked into the exploitability of this
behavior, it would seem to be a security risk as IE has supposedly dropped this
functionality in SP1 for IE 6.  2)  By making a request for a file that does not
exist on the user's system using the "shell:" prefix,  Mozilla will continue to
open windows until the user's system crashes. 

So even if 1) is not percieved as a true bug, 2) definately is a bug.

Examples of both at http://www.mccanless.us/mozilla/mozilla_bugs.htm


Reproducible: Always
Steps to Reproduce:
1.See example site
2.
3.

Actual Results: 
various see above and example site

Expected Results: 
denied access to all local files

====

plus comments. etc/

www.MarkTAW.com
Tuesday, July 13, 2004

""What if the code passed <img src="del c:\windows\*.*"> to the OS?  I mean, the delete facility is there to be used, right?"

You're not serious are you?  That's a pretty lame attempt at an argument.  "

How exactly is my argument lame?  You're making the case that Mozilla's behavior of passing any unhandled protocol to the operating system (and thereby assuming that every registered protocol is 100% safe for remote invocation) is the correct thing to do.  How is that different from passing any unhandled system command to the operating system?

Kevin
Tuesday, July 13, 2004

See also:

http://bugzilla.mozilla.org/show_bug.cgi?id=167475

Note that in October of 2002, a blacklist was put it place, and the issue was somewhat dormant until people realized that a whitelist would really be the way to go.

Kevin
Tuesday, July 13, 2004

Kevin,

Your argument is lame because in your example the web browser does not have to take any "special" action to prevent files from being deleted under the windows directory. The "open" function (or whatever it may be in Windows) would just return an error because it only accepts file names, not arbitrary DOS commands.


On a different topic, I doubt many people have ever argued that OSS authors are better at DESIGNING software (as the OP seems to suggest). The most readily stated advantage of OSS is the ease and speed at which bugs are found and fixed.

Also, look for security issues to "diminish to a small trickle" right about when we all stop releasing new software. Security holes are just one type of software bug and I find it hard to believe we'll ever stop putting bugs in software (although it's a worthy goal).

Tom Mack
Tuesday, July 13, 2004

The main reason, I believe, that Apache 1.3.x is so bug-free is that really all development on it has stopped except for bug fixes.

However, this is entirely in the realm of open-source.  All development on Internet Explorer has stopped (or so it seems) but bug fixes are not coming out.  I'm sure MS could put a few people on staff just to stamp out IE bugs only and put a release out every few weeks and it wouldn't take long before IE renders CSS better and has no exploits.  But it just doesn't happen.

Almost Anonymous
Tuesday, July 13, 2004

"* Security of open source “by design” is no better then closed."

Wow, Albert!  That's some serious analytical thinkin' goin' on there!

One instance of a vulnerability in Mozilla vs. uh, sorry, but I kinda lost count of the number for IE.  Therefore, the open source model is no better than the closed source one.  QED.

In fact, why don't you just take your post as is, and submit it for journal publication.  No need for more research or data; your argument is unassailable as it stands.

Jim Rankin
Tuesday, July 13, 2004

Tom,

You're disagreeing with part of my example but missing the point.  Let's say my program implements a protocol handler with the ability to delete files (bad idea, but there's nothing to stop me).  Would Mozilla be taking the correct action to pass <img src="delete://windows/*"> to Windows, knowing that Windows will pass it along to my delete-happy protocol handler?

Is it a huge problem that Windows behaves the way it does when it comes to protocol handlers?  Yes.

Does that mean that the Mozilla developers are excused for not addressing that fact, even after they knew about it?  No.

Kevin
Tuesday, July 13, 2004

>One instance of a vulnerability in Mozilla vs. uh, sorry, but I kinda lost count of the number for IE.  Therefore, the open source model is no better than the closed source one.  QED.

Well, I am perhaps thinking above the kind of stuff like Ford is Better Chevy based on emotions, or perhaps even worse is one example of a Ford breaking down makes my point rock solid (it does not!).

The point to made here is that the “process” of developing software via OSS does NOT make a more secure system. I think that point does need to made. I also think that in general this point is “often” made by OSS advocates.

When we look a products like Outlook, which has been the bain of so many virus problems, was the coding practices at fault, or the criteria used to make the product?

As a general rule, the desired target, or interoperability of the product is NOT the same thing as the coding and development process. We need to separate the two issues.

In fact, the problems with Outlook are very much due to it being a com object. If the outlook object model was created by OSS, my guess is that the results and vulnerabilities would still exist (by the way is there a popular Com (well ok..COBRA) email client in the OSS world? I don’t think so! However, I can say right now that a email com object makes my life SOOO much easier from a coding point of view.

And, I will say right now that a LARGE portion of my work involves the use of office applications as com objects. You just have to hear a client say:

    While looking at a particular customer, can I press a button to generate a report and attach it to a email? You would have to be living in a cave to not had requests like this (or not been developing software for business!). So, do you use com objects as a solution here or not? I do!

My biggest fear in MS’s new world of security is that we will loose the inter program communication that the com object model gives us. To loose this, I would in fact give up the advantages that developing under windows gives me to other possible desktop solutions.


Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Tuesday, July 13, 2004

This is Microsoft and their minions looking for a fig leaf.  OH, Mozilla fails this test, therefore its OK.

Mozilla is patched, 1.7.1 is out today.  Only the browser is affected.  Done.

SP2 is YET TO BE RELEASED.  Coming to a Theater near you soon.  Not available in stores. As seen only on TV. Order before midnight tonight.

What else can you say?

hoser
Wednesday, July 14, 2004

>SP2 is YET TO BE RELEASED.  Coming to a Theater near you soon.  Not available in stores. As seen only on TV. Order before midnight tonight.

What else can you say?
\----------------

Actually, it says a lot.

First, SP2 is not effected by this problem. This is a issue of change of attitude, and not one of issuing a patch for this particular problem. Beyond this simple one time issue of Molzzilia problems

Once again, there seems to be this grade school attitude here. Oh..gee, that new sp2 is not out yet!...so you can’t use that in your augments! (gee..kids…give me break!!!). Gee, big glass of spilled milk here because SP2 is not out yet?

Sounds like people in France when a plane crashes. The first thing they look at is the plane maker. If it is Boeing, they are out in the streets dancing since it likely means more sales for AirBus. Of course, the other way around…they feel sad all day.

Gee, are people actually sad, or upset when they see a windows security flaw, and of course upset when they see a OSS flaw? Gee, what sad lives people lead these days!

I mean, sure…yes, it is good to note that SP2 has the windows firewall enabled by default, and can the OS can now even intercept requests for port use (this is great!). However, the fire wall and security built into SP2 is not aimed at this particular problem anyway.

The fact that SP2 is not released, and was not designed around this particular problem IS A BIG POINT!!! The reason WHY it is a big deal is that it shows that future updates will make windows a lot more secure. This is not a fix by fire issue anymore.  So, yes, the fact that SP2 is immune to this problem BEOFRE it happened is rather a big deal.

Once again, my point was not so much that Mozllia has some stupid security hole (which, by the way is much of a windows problem anyway!).

My point was that the OSS development process does not make more secure software as has been widely touted.

I feel rather surprised that people don’t see the change in the IT industry towards security, and what is going on in software development these days.  If you love the aircraft industry, I would think you see beyond the Boeing vs AirBus sparring.

For my industry….security is the new reality. If you don’t think the major players in this industry are working on this issue..then I there is noting I can do!

As I said:

Now that security is priority for the IT industry…we will see this stuff diminish in the future (by a LOT)…not the other way around.


Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Wednesday, July 14, 2004

"Once again, there seems to be this grade school attitude here. "

Say no more because

--- You started it ---

Did so, did not, did so, did not,...

Oh yeah, well I'm tellin' Mom.  You're the OP.

BTW: <whisper>
SP2 is not out yet.
</whisper>

hoser
Wednesday, July 14, 2004

>Say no more because

--- You started it ---

-----------

What exactly do you mean by the above? Once again, the grade school mentality comes out!

Why do you have to characterize this thread as something being started by someone? Are not all threads started by someone? What exact great intellectual concept are you trying to explain to me?

Am I somehow denying that I did, or did not start this thread? (lets not be so silly here!!). It is quite obvious I did start this thread, and I am quite happy to contribute to this message board.

I can only hope that you also desire to engage is a good discussion about this issue.

I welcome any points or contributions you have on this issue.


Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Wednesday, July 14, 2004

Umm you don't need a COM object in order to create an email and an attachment. 

If the only email transport you're going to support is Outlook then fair enough.  Personally, I'm more in favour of using SMTP, that way I just need the address of a valid mail server.

Simon Lucy
Wednesday, July 14, 2004

Outlook is certainly not the only soltion here!

However:

Actually, the common work solution here is that while viewing the particular customer, we press a button, generate the invoice, attach the invoice, and bring up the email client with some pre-defined text, but at that point, the user takes over, and can:

-    Edit the text further, adding specific comments

-    attached a few more documents (this might be a quote, and not a invoice). Those additional documents likely will be word docs, or even just some promotional brochures in pdf format.

In all of these cases, having a programmable email client really help. If I can use something else then outlook to do the above, then sure….I am all for it. However, I do want the user to be able to write and send emails, and I need/want some user interventions in this process. As you can see, the com object model suites this process very well. Futher, from a training issue, a familier interface is used.

If we are talking about some email blaster program that does not requite any user intervention, then outlook is not the first choice here at all (it likey would be far down the list). There is a big difference here between work flow automation controlled by a user as compared to some large email blaster system.

So, using a email client that can be automated is not the only solution here, but the com object model tends to save a ton of work for those user driven applications.


Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Wednesday, July 14, 2004

I'm a bit confused Albert.  I'd read the whole problem as "Window Flaw Runs Arbitary Programs".  But anyway, lets tackle the "OSS is not secure" assertion.

"My point was that the OSS development process does not make more secure software as has been widely touted."

As people in this thread have said, major OSS software (including Mozilla) have consistantly proved to be more secure (less compromises, smaller window of opportunity to be compromised because of rapid fix rapidly, widely and effectively applied) than major closed source software (especially that from a particular vendor.. please feel free to jump in Philo).

IIS vs Apache
MS-SQL vs ... everyone else, closed included ...
IE vs Mozilla (ok, bit of a scale problem for desktops here)
Windows vs Linux/*BSD (OpenBSD anyone?)
Outlook/OExpress vs ... everyone else, closed included ...

spot a trend Albert?

Please start naming and shaming OSS products that are famously and repeatedly insecure.

Now the source availability has nothing to do with design method, of course.  What we need are examples of badly designed open source software..

i like i
Wednesday, July 14, 2004


>> Please start naming and shaming OSS products that are famously and repeatedly insecure

It's so easy.

Sendmail.

Rick Tang
Wednesday, July 14, 2004

As jwz said once, any program that's around long enough eventually uses email.

I'd never use something like Outlook or Outlook Express to do mailing like that, its simpler to do it yourself, its only arranging the chunks and then calling SMTP.  In any business app you already have the chunks marshalled, at most you just need a covering message from the user.

COM has its uses, especially if you have a good chance that 'Design by Contract' is going to work, at least notionally.  MS has a horrible history of changing its COM interfaces in ways which just break applications.

Plus its a bit tricky selling your app to them if they use Eudora or somesuch for their mail.

Simon Lucy
Wednesday, July 14, 2004

"The point to made here is that the “process” of developing software via OSS does NOT make a more secure system."

This may be so.  But the data presented so far do not by any means justify or validate this position.

I accept that it is your sincerely held opinion.

Jim Rankin
Wednesday, July 14, 2004

>MS has a horrible history of changing its COM interfaces in ways which just break applications.

(sounds like the CLR runtime debate!)

Actually, I had very good luck in this regards. In fact, with office objects, MS REALLY tries hard to keep things the same.

In fact, I fact have automation code for word and outlook that spans 4 office versions (that is a LOT of versions of office). Further, a good many of the office applications are mixed and matched (different versions of ms-access vs word vs excel installed for example).

Guess what? Never (I repeat NEVER) have I had to change the code across 4 versions. In other words, my automation code just don’t break!. (even in mixed envornments!)

My experience does not prove, or dis-prove that the breaking of com interfaces occurs by MS, but I had REALLY good luck in this regards. And, they don’t try and break these things!

As long as one uses late binding in place of early binding (and not fixed references) you are home free. And, the performance cost of late binding is not noticeable. Late binding might add .03 seconds to the load of word…but really, that is insignificant compared to the load time etc.

So, as a rule, you generally are trouble free in using major applications such as office objects.

However, you comments about using SMTP in place of a automation object has sparked my interest.

I going to start another thread on that issue…(later tonight…working right now!)). I am very curious as the to pros and cons of a automaton approach vs using some SMTP “library” that you have hanging around (I have considered using a SMTP library in the past).


Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Wednesday, July 14, 2004

---" My biggest fear in MS’s new world of security is that we will loose the inter program communication that the com object model gives us. To loose this, I would in fact give up the advantages that developing under windows gives me to other possible desktop solutions."----

We've already started to see some of this. Take what I need to do, which is to get a contact automatically added to the address book from an Access database. About a year ago I found a message would pop up every time saying another program was accessing the address book. I think its got even more difficult now.

(The Outlook account that needs to be opened is a delegate account on Exchange Server so it's not as simple as it seems).

It seems some kind of digital signatures are going to be needed since the whole point of Office is interoperability.

Stephen Jones
Thursday, July 15, 2004

*  Recent Topics

*  Fog Creek Home