* Steven M. Christey: > Throughout this whole discussion on URI handling and IE, let's not > forget that: > > 1) ANY technology that uses "handlers" that pass commands and > arguments from one process to another, is likely to have these > kinds of issues. Web browsers are just the first to get this kind > of attention. All products that support plugins, whether web-based > or not, should be examined for this type of problem. Uh, the "first" part is not quite true. There was some discussion about mailcap entries, and whether you should use %s or '%s' at some time in the 90s. > 2) Programs that were formerly assumed to be safe because they were > only ever intended to be invoked by a single user, will now become > unsafe if they're referenced in a handler. Think second-order > symlink issues as one example, or buffer overflows in command-line > arguments for non-setuid programs that are likely to be used in > handlers (image converters, anyone?) Again, we have been though this with *roff, Ghostscript (and its various front ends), DVI viewers and TeX itself, and many more (and the classic "unshar", of course). It's just another round on a different operating system. Image viewers are particularly interesting because even if your favorite and bug-ridden MIME types like image/gif are handled by a (supposedly patched) mail/web client, chances are that the image viewer recognizes a GIF image even if it is declared as image/x-xwindowdump, exposing its vulnerable GIF code.
