Microsoft comes clean on URI holes

Microsoft comes clean on URI holes


Company vows to fix address handling flaw

Microsoft is to issue a fix for a bug in Internet Explorer 7 that leaves users vulnerable to attack.

Members of Microsoft's Secure Windows Initiative team explained the issue in an article posted to a company blog.

The problem exists in IE7's handling of uniform resource indicators (URIs) in Windows XP and Server 2003.

The URI is the first part of an address, used to specify which application runs a file or link. One example is the 'mailto:' command which launches an email client.

After the URI link is clicked, Windows calls a component known as 'ShellExecute' which then runs the URI instructions.

In recent months, researchers have outlined vulnerabilities in Firefox and Internet Explorer that could allow an attacker to execute malicious code and compromise a target system.

Mozilla recently issued an update for Firefox that addresses the issue, and Microsoft is saying it will need to do the same.

Previous versions of Internet Explorer checked the URI within the browser. If an address was malformed or invalid, the process would fail and the URI would not run.

With the new version of the browser, however, a malformed URI is "cleaned up " in order to be run. This, say researchers, allows attackers to run potentially malicious code hidden within the URI.

The Secure Windows Initiative developers said that a security component prevents Windows Vista from running the URI scripts, protecting IE7 from the attack on Vista. No such protections exist Within IE7 on Windows XP and 2003, however.

The developers believe that the ShellExecute component will need to be redesigned in order to be "more strict" in its handling of URLs.

Microsoft gave no expected release date for the update, and recommended that developers take matters into their own hands to secure their applications in the meantime.