Waiting and Watching is Sometimes the best Course of Action
A recent clustering of disclosures that affected how a number of third party applications on Windows could be manipulated to open other applications through the modification of seemingly innocuous URIs led some (but not many) to sit back and question whether there was some other, more critical problem at the system level that was facilitating the vulnerable behaviour.
Around the same time, it was disclosed that the popular alternative Internet browser Firefox was vulnerable to a condition where a link clicked from Internet Explorer could open Firefox and change various browser settings / capture various data through the manipulation of command line parameters.
This problem gained the greatest attention when it was disclosed that pdf documents could be manipulated in various readers, including Adobe's, to open and manipulate other applications when specially-formatted links were clicked from within modified pdf files. Battle lines were drawn in the Information Security community between those who believed that the problem lay with the third party software providers (Adobe and others), who were failing to adequately manage the information being passed from the applications to the system, and those who claimed that the information being passed was acceptable - it was the underlying system that was at fault.
While some argue that the Firefox and Adobe vulnerabilities are two distinct vulnerabilities, others point out that they are closely related enough to be considered essentially the same problem - insufficient filtering of input passed to the internal system URI handler. In one case, it is command line arguments being passed to an application (as with the Firefox vulnerability), and in the other it is the system URI handler misinterpreting invalid characters as gaps between commands and actioning the requests.
Although it can be argued that the third party software developers need to address how information is being passed out of their applications, it later became apparent that it was actually a problem with the underlying system. Microsoft eventually acknowledged that they had changed how Windows handles URIs passed from applications, and that this change had been introduced with Internet Explorer 7 (hence the difficulties that some faced with reproducing the exact problems).
If they develop their software according to published system APIs, and keep in accordance with those APIs across different operating system versions, software developers should expect that their products will perform to the same standard of usability and security. It should not be considered reasonable for developers to have to account for possible silent system modification that changes the overall performance of their product - introducing security vulnerabilities for example.
Cultural thinking such as this, where developers are expected to fix issues with the underlying system by modifying their own software so that their products may perform in accordance with the published APIs that they were originally developed against, is dangerous. At best it leads to unnecessary bloat and inefficiency in software, which when accounted for across a system may have a profound effect in terms of overall system performance and resource availability. At worst it introduces new vulnerabilities and weaknesses that can cause system instability.
When users are faced with a bewildering number of incremental patches and updates it is little wonder that they ignore or are otherwise unaware of software updates that really matter to them and their systems.
Sometimes the best thing to do is sit back and observe, then apply pressure to the parties responsible for an issue to do something about it, rather than relying on everyone else to work around it.
17 October 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.