Security Flaw Affects XP, Windows Server 2003, IE7

Microsoft has shouldered some responsibility for a recently discovered security hole in Windows XP and Windows Server 2003 that uses Internet Explorer (IE) 7 as the attack vector. The company plans to announce a forthcoming update to fix the vulnerability.

Microsoft yesterday released Microsoft Security Advisory 943521, detailing the exploit. The vulnerability is specific to XP, Windows 2003 and IE 7. Vista and earlier versions of IE are safe, according to Microsoft.

It's caused by how Windows deals with URLs or URIs (uniform resource identifiers), and could lead to an unsuspecting user clicking on a hyperlink that results in malicious code being run on the user's machine. The flaw was apparently introduced in the upgrade from IE 6 to IE 7, and changes how Windows parses URIs, causing it to potentially choose the wrong application to handle a protocol.

US-CERT (The United States Computer Emergency Readiness Team), on its Web site, gave an example of how the flaw could be exploited:

"For example, a 'safe' protocol such as mailto: may be incorrectly handled with an 'unsafe' application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands."

Norwegian researcher Thor Larholm in July first brought the flaw to light. At that time, Microsoft blamed third-party applications for the vulnerability, saying applications need to be responsible for their own protocol handling. Now it seems to be accepting at least part of the blame for the defect, while still pointing out developers' responsibilities.

On the Microsoft Security Response Center Web site, Jonathon Ness blogged about next steps.

"Our plan is to revise our URI handling be more strict," he wrote. "While our update will help protect all applications from malformed URIs, application vendors who handle URIs can also do stricter validation themselves to prevent malicious URIs from being passed," Ness continued.

Juergen Schmidt, a researcher at Heise Security, noted that a number of programs are affected. The flaw, he wrote, "hits a lot of applications, not only Firefox (and mIRC) -- namely Skype, Acrobat Reader, Miranda, Netscape." Schmidt also hinted that it's likely that more programs could be affected.

Microsoft's security advisory didn't say when the update would be ready. The company just delivered its monthly "Patch Tuesday" release. The next one is scheduled for Nov. 13. From time to time, Redmond releases mid-cycle patches, but only in rare cases where the vulnerability is extremely serious.

About the Author

Keith Ward is editor of Virtualization Review magazine. You can contact Keith at [email protected].

Upcoming Events