Microsoft performs U-turn on URI threat

Microsoft plans to fix a Windows bug recently blamed for several critical vulnerabilities in third-party software.


Microsoft plans to fix a Windows bug recently blamed for several critical vulnerabilities in third-party software.

The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs – email or instant messaging clients, for example – by clicking on web page links.

In July, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. The bug allowed an attacker to run unauthorised software on a victim's PC.

Later, other researchers began exploring ways of misusing other programs to achieve similar results. Attacks using this vulnerability have been found in many products including Firefox, Outlook Express 6 and Adobe Reader 8.1.

The problem lies in the way these links are "sanitised" to make sure attackers cannot insert malicious code into them. Its solution has been a matter of dispute. Some security experts have said that Windows could do a better job in checking the links; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.

The software vendor has now apparently reversed that position.

"Since we began investigating this situation in July there's been more discussion on how to potentially use this in attacks," wrote Microsoft's Jonathan Ness in a blog posting. "So to help address overall confusion between these two issues, we've released Security Advisory 94351 to alert customers to the risks associated with this issue, and to let folks know we're working on a security update."

The update will change a Windows function known as ShellExecute() so that it sanitises the links it processes, he added. Microsoft has also released a security advisory on the issue.

How far these changes will go to disable these types of bugs depends on how Microsoft implements its changes, but the company will be unable to fix all these bugs, said Nathan McFeters, a security researcher with Ernst & Young who has been researching the issue. That's because the way these links are handled by applications such as AOL Instant Messenger or Trillian is outside of Microsoft's control.

For example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and researcher Billy Rios. "The Picasa flaw is based on the intended use of the application, we are just abusing this functionality," McFeters wrote in an email. " Microsoft can't fix the fact that the way these URI are used can cause flaws."

Microsoft did not say when it planned to patch the URI protocol handling flaw. Its next set of security updates is due on 13 November.

"Recommended For You"

Adobe pushes out critical PDF patches Skype forgets to tell users of bug or patch job