If you haven’t heard of the story, Microsoft and Mozilla are in disagreement over who’s to blame for a security flaw disclosed on July 10th. Mozilla and Thor Larholm, who made the bug public, are saying Internet Explorer should make sure a URI is valid before feeding it to external applications, while MIcrosoft says developers should be careful with protocol handlers, as they are prone to this type of attack. Microsoft’s view shifts the blame to Mozilla.
What I found interesting, though, was an iDefense advisory published last week that shows both companies were notified of the problem in mid-June.
The iDefensive advisory, Multiple Vendor Multiple Product URI Handler Input Validation Vulnerability, seems to detail the exact same bug found by Larholm. But, if the advisory is correct, iDefense researcher Greg MacManus found the bug almost a month before Larholm and notified both companies on June 13th.
The timeline, as published in iDefense’s advisory, is quoted below (emphasis mine):
VIII. DISCLOSURE TIMELINE
06/13/2007 Initial vendor notification
06/13/2007 Initial Microsoft response
06/13/2007 Initial Mozilla response
06/14/2007 Microsoft states defined behavior
07/17/2007 Microsoft updates MSDN article
07/17/2007 Mozilla releases Firefox 2.0.0.5
07/19/2007 Public disclosure
Both companies replied on the same day, so they can’t say they haven’t received the notification. Yet, both waited for Larholm’s public disclosure, which was on 07/10, to do anything about it.
As an added note, Mozilla admitted earlier this week that Firefox has the same problem and also feeds potentially dangerous parameters to applications registered as protocol handlers. Over at his blog, Windows guru Jesper Johansson teaches Mozilla an important lesson on glass houses.
If you have no idea what a protocol handler is, try the iDefense advisory. It does a good job of explaining it and also mentions RFC 3986, the document that defines what is and what’s not allowed in a URI (which should be the standard to be followed in this case).