16 October 2007, 16:04

Unofficial patch for Windows URI problem

It has been more than two months since the critical URI vulnerability in Windows was made public, and Microsoft has yet to release a patch. A growing number of users are using various workarounds in an attempt to patch their systems themselves. The strange behavior of Windows XP with Internet Explorer 7 installed may allow the computer to be infected with malicious software even by simply opening a file. The developers of Firefox and Skype have taken steps to provide their own patches, other applications such as Adobe Reader, Outlook Express/2000, Miranda, and mIRC however remain vulnerable.

Now, a hacker with the pseudonym KJK::Hyperion has published a provisional and, needless to say, highly unofficial patch that tries to clean up the call parameters in the handling of the vulnerable Windows function ShellExecute(). But as the developer himself warns, "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever..."

It is therefore not recommended that this patch be installed on operational systems. But at least KJK::Hyperion did not release his workaround only as a DLL library ready for installation, but additonally as source code under an open-source license. Others can therefore evaluate and improve the code, if necessary.

It is still not clear when Microsoft will provide a proper solution to the problem. For months, the vendor has refused to confirm the existence of the problem in Windows XP. This only happened after Secunia had demonstrated that Outlook Express/2000 could also be used as an attack vector. According to a blog entry at the Microsoft Security Response Center, they plan to revise the code in ShellExecute() to fix the problem. The next regular date for such an update would be Patch Tuesday in mid-November; right now, there is no indication that any unscheduled update will be released.

Udpate:
This patch contains a severe bug.