Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IE vs. Mozilla on the Shell Hole—Whose Bug Is It?



 By: Larry Seltzer
2004-07-12
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: Mozilla exposed the scheme, opened the hole. Now it's a debate in security circles. But the only way this is a vulnerability in Windows is if it's a vulnerability for a shell to be able to run programs.

In the wake of last weeks revelation of a security hole in Mozilla that allows the execution of arbitrary programs on the client system a philosophical debate has emerged: Is this a bug in Mozilla or a bug in Windows?

I think the argument is that Windows should prevent the shell scheme from executing programs, but this isnt a job for Windows. This is a job for the browser. All Windows is doing in the case of what was just patched in Mozilla is taking an instruction to run a program and running it. If the browser didnt ask for it, it wouldnt happen.

Clearly the behavior of the browser is important here. Internet Explorer in Windows XP SP2 kills off the links completely, much as the patched Mozilla does (in fact, the patched Mozilla doesnt even underline them, making them appear as plain text).

But even IE in Windows XP SP1 behaves more reasonably. Its behavior is identical to that of a straight href of the program file. The user is asked if they want to save or open the file and are given a clear warning that the program could be hazardous.

How did Microsoft get Internet Explorer do this? It actually looks as if IE just stripped the shell: from the link and treated it like a regular href. This is an interesting thought, still the important point here is that Microsoft didnt just take a program name and tell Windows to execute it.

Ive seen some claim that the fact that SP2 is so merciless with shell: links is proof Microsoft knows there was a problem in Windows, that what was really fixed was the browser, not Windows. Remember, its the browsers behavior thats changed in SP2, disabling the links completely.

Resource Library:

For example, I was able to make an SP2-like change in an SP1 system with a very small change to the registry. The change is quite analogous to the Mozilla fix from last week. In the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults I created a REG_DWORD value named shell and gave it the value 0. Thereafter, Internet Explorer on the system treated the shell: links as dead. No action at all was taken when anyone clicked on them. The user could right-click and select Open or Open in a New Window, but nothing will happen. On this same system, an unpatched copy of the Mozilla browser still loads the programs when the links are clicked.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

So, what does this experiment prove?

If there is a Windows facility for shell links and its that which is at fault, then Internet Explorer doesnt use the same one as Mozilla. It looks as though theres less here of Windows than some think. The parsing and passing off to the Windows shell with Explorer is entirely a browser affair.

In discussions with representatives of the Mozilla Foundation, they conceded this indeed was a bug and didnt try to foist the blame on to Microsoft. And thats because they know whats usually perfectly obvious: that browsers are supposed to look suspiciously at content and try to protect the user. Theres little to be gained by a defense that its Windows fault, not when you wrote the application to tell Windows to run whatever content comes up.

The fact is that any operating system allows programs to run other programs. The real difference here between Windows and other operating systems is the permissions of the user in whose context the browser is running. If the user has administrative rights, as is the case with far too many Windows users, then the browser can do whatever it wants. If the user is restricted, then so will be the capabilities of programs they run.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

For corporate Windows installations, this browser situation is an implementation issue, because its definitely possible to have users log in to Windows with restricted permissions. (One day I really must look into whether this can be done practically with a Windows XP Home system, but more importantly it just isnt done.) None of this changes the fact that the browser basically told the operating system to run a program. This is a natural thing for a program to do, IE, Mozilla or otherwise, if its safe to do. And if its not safe the browser shouldnt do it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page



  Reader Comments: IE vs. Mozilla on the Shell Hole—Whose Bug Is It?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xmW(Yk&sN C lnv9we9xplo̟8_uJ$@>iH,TU*JR ?Jt4ôG1%c}{~HΛ7omŏ9UQ#3)9S]MHwW3f#өP/w ;᳑(yVშ bHKF9yٜh#ˈ #s?fp,Ƌmg͊lrZ'jfm(CN}֥qOD|2: [tV:v g*UN8py#f_ʞ0ȁz5"p8$j;^7w=[(;a |%BЫva͎r{hPL!p:x ]3~DbB@2dF!8nu4DՐl1X ?t'CH\@vl:r~/CoeZVu#ϙz8EI8ccM c Ч@2xZ`:vH{t!.Gو[~_i }ˇŚKՃʡrpX߉W m8e'2-ݽh[RŢ^u79}]`i=v$V,+ڧnG;[oǁ\"ͱ oem#3]U%ZJIR|:-DG" B+.oVK7"-RK K'y̮gf^Ґ UUQXNڭޙbii]Z7nZ'9waXX^" jZ,N&Yu|>94m'!|Аe>m= 3Ixnvt"I,3p|gS a {>0sB}+Z$ i -Dv|@)Xh>Pp<x0< [/.AC` V>PYMAY' 6)X.'s>G60-pSRHx9/r:@ @ =JII mF "CѓFt :`gs'0EGNNf B@wW$_^pƉp (7]HtFN_-#a b -t{b~I8l eV&~O/Lb/Dv_, W } =Muc@|d45 SRm]yOe&L`` ș.)c K8X 0#y`?m'(c=P2ha} n/| `0#c큮6(91m0M}L+h5 6Lh,ao&>;6bgO!>wl(`VrIncKˌ0vJbsϦ@@Whφ` 631P.L0Yީ{?|"]}r769ȯ6x*bрː ;v gJclX.b=+jMM,bs8z`q X0b=Aߛ8\%g5f{ 3ykqbؑRR|~j BH= 3Ӊn*s38TMk=wlZFtay׋aT5,6D 8qa,ri *gX?Qɚ=#fbTK-+Ӟ#*.-W1V@ c&D8t_h_( #G˿^wwSzm1FCny< %@Wj#fLf L`.x8#JJEmX))J%!)`L@cykL{0& 5PnN2($/pk@`B^j%&`sV折 - t[;;$&E Pu0$Pߤm&%K!.pXsWyQG?M=~ԪRVgGj@V8Y+0OyoU&Q.ՁȾ3cY;v ogrاw{rxmbx䃋 ,` |* #ixI;d#wW5'L=0=GKV,9?Ś?S +q 5Exc71NP GJtlBv!ה2tݛ `1}j>a! bf0&b@ ۬4pΨa\tiY$Vu`w|!e3RL=7K$wE} 渡*ZIeoi+h#S ` k# 0V+X`Cx*:Kh +tܶ |~`7Նyg^U-ߌg>%Z(szzZRcb9[Ѿ-X5N(_g, Rd`nM}Y@7 IWrs~D/>A팽;l[E?L' Cދɯku 2܄C\>+Um'>I~ &ƹiq+%͜R\`N 8h΄l ޼U=,A)+CXl=$-ʹVLsa1d0&_*eR)Z+(Ab259p\Semi;}6N*}XT^&<X))NeٟHWNuLspI(U!v+We*UKH$%.U* ~޶&^`.LKJM t_ S0C/IK/:;–jc|~'$%켹k.HȖ;=yվt| 8}_M;GAN.Z(@?^+O;.4.ߤY_G\'0[mԾjoa7[-HeLR({N$ƸkO^DiKFmu 7q0^ |/BN׹pKe疟ƫuKJbun[wr CH#,B^!"k3d<)eF:$]w&D_ tnZ\Xpi.Ť"^k-kmAN3n *^_IFh֬Yï0oU ka In*TktR}E 1`KF7Oѩ{iD2 @X:Uaҏ"織(R.XLO‡,uڹmrcsl}E_opۗAC<<_ZdxH'BY1`GgKz+9ƭIr ׉Nv}lq_4u8pxc|=JP /Mu>nAR4 jGYsnNF1Obp71 ch9G!!J Ķޣd ecgSR6%I" IRդ<8KieE%!%7J3=m MXMzsD&{6g+KWn_"^v6\0ِqk6/Á@0 Qސ-?Jc: K" IAUb/VU+$]we%GZxF2&m]%3 #4/tZgP::[G{:?ĥGn~^J>}U-geQJ=׸&zD`Nqu5Q<{qI%.p{?k`\Tk{ (^Ah3\ YC4 RbOfmc7qd>Ld9 AX V9f'88@CId=pl=|;t71'pPx176 y)1htR o7lf<g ~@k#Ǽ3iZ'Kh4|#HVoO_ϲoN{cC|3 m_jSK76ol).ěk3[60S_o<bg(yl`l{y>'`:9hjV،̳dsP>L01dH@'g/_bjbMޘ<2`kCr`X&ð+`?~0bWށRU_ƽL:HP"Eȅト7*SNLf eMەO*jE0;vILWc=v@A^X,W):ǯ .@lT 9X;Tc^E葦-ƌ|~J,rr=Em1Wɲ[y Oļ636;ۭ fUeb/]iwEQ&s!2g@UY/:SA栓F|L (PgI Nv0_BdAWWAgWǘAzb DqMW[3-peDDp~$F:mأ傚OSu^<Ē;j\I*qiJM6Teȃ2OȜ,Ilvřĕ+1Mn$s`> k%\Jʥi˰<\UGd!+9Lt:/TtʡZVJTѡ5}q ဈ"\DTMQQT!6xÊ!I*K{rU|Dl^^MݒZO嘁 KM Iu ށqտT,9X!NǴ3 VWEO1$"" 6'{M %!(ޓ~@tWI\̥+>ttHn %T;K ;*ݰ^oքwsH-{˸H_i@Wa`]/:3WHv7(VD&5u%]YZ'%bRܔcs0DX=[|Gnk%bq<_RKAe8$ 8Dx}p|bI< J8y Ɨf^ȷ 6"nx1R`5xQ`! KĻ#㍪mCmLu Sn)I7X T:~x1ت <) nqVm@xlS4c!ehB~&y_gUXM2.wu~}}}}{(ZE5,.C`uZԐN1uNF:?aZ`ФI.IzC0_y}jzCR7x}Sp TEXw-_OtV'^sk"\:^Vhy͕F3VWB !u-3H%Bss#7xӚ_?t&N:<;Hk{syzbhRUjl۶itCע5chN$!HoERx7|kSE_>T c>|P|Ԙ5W,BQ+ Vx| [Df !HSu{?olc$H|2Cl?QX2xL{o/I}oY Y6iN"z$tѴB)]c]ʡ\sO.sYE*NrȈZL+5L5:qU6&2HuP@ʡUH4I`7i1]S_)FmzYC`5`um;bW7k+mLxT9Owx􄾥޼vgO%Yձȱ,;_J"<." Rb,hww$.։,eb6-S7ၭ5O8.>ȜmGALrxPUR4c 2Sjx#=sB'`{V,(bXtax߱iG$``\6}=Ř5$Xh]Yk[ԪnF[*^3 D˧ܤG1m NWWdJzSy# 1- ƌ,6-$@=d9T>pyn.*OŚ߫'ru [>.4>+- oe[Њo=#okI TAWp#<`WjG8{|Qz@k#El~%:|dH~Ap_1ԓGMЀ1v_s;Ba,b+pL['酀Czhb!31FPp\GǭVWf\^u@̙6Q fnpoeLmFGϹ«;6g4=acH ]TWXA&x3 BxwtP`!!cкtɇtCa#K^79Ē#M?Qݽhz{UncDV3O0摩},/iȘjMQhҖhxğeM[r405`@ZDhs<䏸HJ 1!Fi֔)&؏XcFKmG;N1jsR-uC@c"U|8 =J  zo4?صK3U,%Ҟ9hL !}A?po2&Tm$xs y6fssXc;(SKo.2}l?6qAq2? :ܦ`ڻy-UEY|mby> gŃ9R]¬vx"vO]Pƒ ,Bq{=9aiea^Mݗ?0}(/njz+5'K]Si_)1C SƪZNqW6#Sw26q9Lv%mrxSJVp{T̑!;}^h`>5p }a3bp5? ͛OsK"'Mݹ&'m¶v|G ٧ͧu}c`$Gƿd&Q0mweZU)S]9ў,j5W#Z]fqxixID_1=tuۚ={{N*q^bQ@*}q7 6 '=ͳV[V\k.h>?řt|Yf12[ZTofm [/!U9k6waq7hOwit[Хo%u BAoP~ (@y'% xp(? gX]~_Wrrg;__埠K /+*+{+U @>2 *C>QG33/"P+((kП a:`_:&C>noA~n3 w3 {  ׇ ʁ}}ee]%:Ig89(/O2\{~)PPa* g ̴;ZiM+?3^}{+sg#i,9a銪gM+OY[ʹV:qt @&cQ4 k 7b_EYII{R}t̏I> p弝c&[JĻRo*,7cŘNikr(s|gNV0GfY!k=oFD1Kfb2vDQ'elS? `bE~' 8\p٭ࢠ>N%~.:7pGZ _ڎVܝZH \|1?b 9y&OxV&?v>4(P[4LԸGhQV"wk@F;Vj?b4z:p}bO~Hyٿiot(O6 *8 ߜ:\RvƂ7`ɐ1z>;/4DZ=C PO.7p97vFvfu $ srP,UVj%WaG;E&C>;CQL`FԢ*R#}a`|P,.g /(@#غ7M{%}C3=q̐ga1Voq+B&Bx vm!rƫ2fdof2nQKCt`Kd;ցP` |@=s{w; 玃BoVrgMߟbuǤStl'ήqLC'msPۙصw)o+qF4ϯhգ{9đٴ)9P3lAЉ ~u+M&Dz&߼+=?uOo;(,_Ųjz#n=Nؔ1$Q6#-ۋEry091pHNܡXNYוh!by9]x6X?6%YŤe @ q0e@[;i^ric,Z8R3k160>C=A{v 1+T|hcоxQ q4;׏gt() kEF(t#bY+́Rn/ˬPJmDr~pe`O*}qsAflk8}XSq2T/bœj@@ǶӁoD~f:fJ~.𒮨'1;`ru'ݟL uFPRH\vBaItiO xe 6{N3܄Qxq|*xl x QaI';=k#cQIt>x*8" k(H s{F|&n{j-R%n2 馃% 4aW5DA焿H9aCm5u7LdzԢر#oHױ"98wBhôd |A«M/=" cX G_b12.n:`oȢsH:A QO\lx^Dr ΆjŮj9.KpRJVr.Q<fwYPn"x򋯡ł0l=$~1|t,&c s9>!m^Πob/[MFK9jDz]&PL¶)J:pY0٠O[=$sDs݅ ؠ(b- EJ>b< &T |= -{6LDR}Nm?'6}A5+K"@[ul՝Ĩ3 Hy䁜22ZQ{HVFϗ\ /o| 8lO.lzt (Eْ;p?FsoϋAnK|2qZD[ +"䃔ZIc,2kE0+e;5K P`ψ3ӈv"@wD` ȉ(b{Z6n +ot)(5x2vN鏗ec[,\v/-8'yJ1^P. ,N82y<-w; n7#$*| X^c0,20 OoMp::hقG kDxԬ{PTl@x`Pcz BbTev܄1UFDmkT[_ )*lcVu /߱8o^muCX+i; [__A@X>1[<ϑ[_xA|L/X~vxsvA}/ר,L@L[˕Z'][Wma$30]d3xWRzcC vaxph[z[F #6;`2 1=lMzD ϰbo :[ApAg7e3S<"Y/;cy:|lwɌ\8njWW6xozc;|6g`({C]Ay@~Ղ`!8gnh]~9&cǢx1|v19&Y >J Km)蓋ȣg|^4}j5]x Q`gP X-1#DvxsR.i095A}Ȧ [Ej F.1pK/xqm/}0 9]/>$ݬoewV 3O{ī--MV$oč|E]Oޤ8g'>=sHvooJO~ݽ:CL׿˾ė_u: ҂LFN༿ưZ ,s(Sg#B/9hE%4@3x}3v!?6iF!{{vK&x8 r 1/ /p]s||=bMM(ru_OA>q gWɥ vF#O{Vq֪z Xg˱#Q`٩y  KԷŘgpf괯rn?5Fcve5 *=K8~:xʶy&_` 'X%vqwD7p^'םv./UrWw .;x)"t'vDGZZ4ySBe4JS`n3㒆xNEvYp =`kjf1xk@n!x#@Łϻ"0 =/n3OG[nP@'W˧zb,Gt]܄]f#+ 9b fzt2^7kǖ-Y`B~s5B 1ơU3Y]ZP8_ t[ zy?_&>P54?G&,пbXgV(\N#wu-&i9FG9uupei`Bjpg ~ ޑ<0Gl>?{7 mz/;xrƲO%.82:۠]grl&lu3p/ _N=0+ڹ 6Fb svCz6F=W38q N'Ҁ\ ao!6qPe௭A€;WrϝZ:D" +9\v$ƞ\\@v7G"jM@'--77rvPPC&SsNe0=k5/]wzC#ԹG,px\Z3[h/C6u4gpҨ}ZڧMQ[lmRi9bPⵝoűqI6Ă?/ŬpQ_%Bf ܘR&X9p6o&-+4{ x83mh̳bf%KMnOxDK5 ƌ5:IѸqF"yA#i|5%ɑ 4+y_F^Iθ~"8ȅ=41)h&(^dQ&5"8N8a}NzURG^wTnv1q0>J&Lh&ѡrNQ[If2V;