Who is Responsible for URL Security?
Note: This post is more technical in nature than most.
There’s has been a big debate this summer over who should fix a possible security flaw outlined in Security Advisory 943521. Most examples use of malformed “mailto” tags to show how Windows passes along info to the function ShellExecute based on registered url handlers.
In the past, Microsoft has voiced its opinion that it should be the applications responsibility to verify any URL before it’s passed to Windows. Many have encouraged Microsoft to somehow create a global fix with a security patch in Windows.
This was a case where I was on Microsoft’s side of the argument. Of course my reason was selfish because I fear any changes could break the functionality of WinPatrol PLUS requests. This week Microsoft announced it would look at a fix on their end.
“Our plan is to revise our URI handling code within ShellExecute() to be more strict”. For the tech savvy, here’s what happens.
“With IE6 installed, ShellExecute() passes the URI to IE which accepts it and inside IE determines it to be invalid. Navigation then fails harmlessly. With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to “fix up” the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That’s not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed.
The % is a very special character. It can be used to hide and embed potentially dangerous code. It can also be used to represent characters which in my case, I want to pass in the parameters of an url. For instance, %20 represents a space character which is safer for me to send and easy to parse on our server. It’s also used so I can pass & and ? characters within the parameters of my URL request.
Microsoft has not announced a time frame for any fix so I’ll be keeping an eye on this one and my fingers crossed. I’m guessing I won’t be the only one affected by a major change in how ShellExecute handles an Url. If you read my previous post “Windows Versions Are Like SnowFlakes” you’ll see why these changes scare me.