11 October 2007, 12:47

Microsoft says it will patch URI hole in Windows

A knowledge base article from Microsoft has at last confirmed the existence of a "URL handling vulnerability in Windows" and states that the vendor will be releasing a patch. According to the Response Center, the main reason for this change of heart is that Microsoft contributed to the confusion itself when it supplied heise Security with the wrong "set of talking points" – defined in Wikipedia basically as public relations spin – in a statement on the vulnerability. After a report was published with reference to Microsoft's response, a discussion broke out on the Full Disclosure security mailing list, forcing Microsoft to react after all. There may also be another driver for the vendor's change of heart: it recently turned out that Microsoft applications including Outlook Express and Outlook 2000 are also affected by the problem.

The MSRC blog also explains why the problem only incurs in combination with Internet Explorer 7 on Windows XP or Server 2003. IE7 first takes a closer look than its predecessors at any URIs to see if they are valid, and discards them in cases of doubt. Microsoft says that the ShellExecute() then nevertheless attempts to interpret the URI. Whereas Vista throws out flawed URIs (such as those containing the percentage character or quotation marks in certain positions), XP does not. As a result, programs installed on the system can be launched via ShellExecute() by means of arbitrary parameters. If Internet Explorer 6 is running on XP, the handling sequence for URIs is reversed, so that the error does not occur.

The upcoming patch is expected to make the handling of URIs in the function ShellExecute() more secure. In addition, Microsoft also recommends that manufacturers of applications check the validity of URIs, as Firefox and Skype already do and Adobe plans to do soon.