Microsoft Resumes Investigation & Plans to Patch URI Flaw

Software maker Microsoft Corp., which patched four vulnerabilities in Internet Explorer (IE) on October 9, 2007, did not develop a fix for a problem relating to protocol handling, which, if exploited, could enable attackers to make users download malware. However, the company has promised to release a patch in near future.

Security Researcher Juergen Schmidt at Heiese Security said that a bug in Internet Explorer 7, called Uniform Resource Identifiers or URI affected Windows XP. Attackers who exploited this bug could launch malicious scripts by tricking users into clicking a link. ComputerWorld reported this on October 10, 2007.

On asking Microsoft Corp. if it planned to repair the IE7 flaw, Schmidt received a reply similar to what Microsoft commented last summer. The company said that after a thorough investigation, it found the vulnerability was not in a Microsoft program.

Disagreeing with Microsoft, researchers like Andrew Storms, who is director of security operations at nCircle Network Security Inc., said that Microsoft still had something to do while maintaining that every software should by default provide its own security. ComputerWorld reported this on October 10, 2007.

At this point, Microsoft may be giving second thoughts to the situation. It wrote in its security advisory that the company was assessing public reports that pointed at vulnerability involving remote execution of code in Windows Server 2003 and Windows XP running IE7. The company has no information of vulnerability affecting customers so far.

In July, Thor Larholm, a security researcher, showed how it is possible to trick a browser into transferring malicious data to Mozilla's Firefox by exploiting the URI handler technology. With this bug, an attacker could execute unauthorized program on the computer of his victim.

After Larholm, other researchers explored ways to take advantage of other kinds of applications so that similar results could follow. As of current data, researchers have been able to use this vulnerability in Outlook Express 6, Firefox and Adobe Reader 8.1.

However, according to Microsoft's security advisory, this vulnerability is ineffective in Windows Vista software or any other Windows edition with IE7 active on it.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 10/24/2007