First we had the Quick time QTL/URI issue, then the Acrobat URI and rumors of more exploits which were all 3rd party problems from the Microsoft perspective. Now things are getting interesting;
Microsoft Flip-Flops On URI Protocol Handing Flaw [SlashDot]
“After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue.“
The Microsoft Security Response Center (MSRC)
Additional Details and Background on Security Advisory 943521 [MSRC Blog]
“… Our plan is to revise our URI handling code within ShellExecute() to be more strict. While our update will help protect all applications from malformed URI’s, application vendors who handle URI’s can also do stricter validation themselves to prevent malicious URI’s from being passed to ShellExecute(). We have seen several vendors introduce additional validation as a way to protect their customers from this issue. We are also working on a KB article to help third party application authors build this type of validation.
…“
Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution [MS]
“… Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
* This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed. …“
