Unauthorized Patch by Researcher Posts Threat for Microsoft

A researcher leave behind Microsoft by publishing an unauthorized fix for a serious defect in the Windows XP and Server 2003 on PCs enabled with Internet Explorer 7.

The unofficial patch is meant for the susceptibility in a URI (Universal Resource Identifier) that, during the 2nd week of October 2007, Microsoft accepted after a long period of maintaining the defect has emerged from third-party software. However, the company has argued that any alterations made by the Microsoft led to the failure of third-party applications by damaging protocol handlers.

The data sharing between applications is facilitated by the URI handling which makes it feasible to click on a mailto link in IE that initiates a default user's email client by injecting a proper email address and subject line.

Amid the revised risk evaluation on account of the threat created by the fault, Microsoft modified its opinion on October 11, 2007 accepting the need to bolster its URI handling code. However, prior to Microsoft Research Redmond lab getting an update, Hyperion has stepped in by launching its unofficial patch.

KJK::Hyperion, alias "Hackbunny", a researcher supposed to be an Italian, had posted a link to the 16KB patch on October 14, 2007 on both his Full Disclosure security mailing list and the Website which is nicknamed "ShellExecuteFiasco", which prevents the operation of malformed URLs and stresses normalization of legitimate URLs. URL normalization is a technology that is used by the search engines to minimize indexing of duplicate pages which involves tasks like wiping out the "www" component of the address and also converting a URL to all-lowercase.

KJK has cautioned the users to apply the patch at their own risk, in a report published in PC World on October 15, 2007. KJK has also specified that the current patch is highly under-tested, without any approval of a quality assurance procedure. Thus, it should be applied with high concern as it contained probabilities to affect and make ones machine unusable.

There has been a strong recommendation by the Microsoft in the past to stay away from unauthorized patches and can be supposed to repeat it with the update of Hyperion. The unofficial patch can be downloaded from Website of KJK.

Related article: Unauthorized Intrusion Disrupts E-Mail Systems of Pentagon

» SPAMfighter News - 10/29/2007