July 18, 2007

it's just too hard for microsoft to fix security bugs

There's been some back and forth on this URI protocol handler issue over the last week. It's been interesting to watch and I think it says a lot about how different organizations approach security.

Today, just as we've updated Firefox to help mitigate IE's URL handling flaw, Markellos Diorinos, a Product Manager for IE, says essentially "it's too hard for us to fix this."

The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application.

It's just too hard to get this 100% fixed so we're not even going to try. Is that the attitude you want from the people making your software?

At Mozilla, we were able to address the biggest part of this problem in Firefox ages ago by simply escaping quotes in URLs before handing them off.

When you're surfing the web in Firefox and a website wants to send an address to some other application like AIM or Skype or Acrobat Reader, Firefox packages up that address before handing it off to another application. We think it's Firefox's job to ensure that users are protected from malicious websites when they're surfing the web in Firefox. Apparently Microsoft doesn't think the same for IE.

update: Apparently there are cases where we don't escape quotes in URLs. We're working on it.

Saying it's too hard is not a justification for failing to take even the bare minimum steps to protect users. Microsoft needs to reconsider here and do what's right for the millions of IE users at risk instead of trying to shift the responsibility to "limitless variety of applications" that users have installed.

Making good software is hard. Making good software secure can be even harder. At Mozilla, we vigorously take up that challenge. We don't use it as an excuse for inaction.

Posted by asa at 12:17 PM