Dear Thierry Zoller, --Saturday, October 6, 2007, 9:06:51 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: TZ> Dear Geo., G>> If the application is what exposes the URI handling routine to untrusted G>> code from the internet, TZ> Sorry, Untrusted code from the internet ? TZ> The user clicks on a mailto link, is that untrusted code? TZ> Or the mailto link is clicked for him. What URL is is defined by RFC 1738, what mailto: is is defined by RFC 2368. String in question is definetly _not_ URL because of %xx and ". Double quote is URL delimiter and is not a part of URL, in this case application incorrectly parses and highlights URL (it should stop before "). %xx is invalid character encoding. And altogether it's, for sure, not mailto: URL. Passing unchecked user input to function called ShellExecute(), where URL is expected, is a bug. So, while there is a security vulnerability in Windows, there is also security vulnerability in mIRC, Acrobat Reader, Netscape, Miranda, Skype, because ShellExecute() behaviour is not defined for the case non-URL data is passed to URL processor. -- ~/ZARAZA http://securityvulns.com/
