Security Flaw Affects XP, Windows Server 2003, IE7

Recently discovered security hole in Windows XP and Windows Server 2003 uses Internet Explorer (IE) 7 as the attack vector; fix is coming.

Microsoft has shouldered some responsibility for a recently discovered security hole in Windows XP and Windows Server 2003 that uses Internet Explorer (IE) 7 as the attack vector, announcing a forthcoming update to fix the vulnerability.

Microsoft yesterday released Microsoft Security Advisory 943521, detailing the exploit. The vulnerability is specific to XP, Windows 2003 and IE 7. Vista and earlier versions of IE are safe, according to Microsoft.

It's caused by how Windows deals with URLs or URIs (uniform resource identifiers), and could lead to an unsuspecting user clicking on a hyperlink that results in malicious code being run on the user's machine. The flaw was apparently introduced in the upgrade from IE 6 to IE 7, and changes how Windows parses URIs, causing it to potentially choose the wrong application to handle a protocol.

US-CERT (The United States Computer Emergency Readiness Team), on its Website, gave an example of how the flaw could be exploited: "For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands."

Norwegian researcher Thor Larholm in July first brought the flaw to light. At that time, Microsoft blamed third-party applications for the vulnerability, saying applications need to be responsible for their own protocol handling. Now it seems to be accepting at least part of the blame for the defect, while still pointing out developers' responsibilities.

On the Microsoft Security Response Center Website, Jonathon Ness blogged about next steps. "Our plan is to revise our URI handling code ... to be more strict," he wrote. "While our update will help protect all applications from malformed URI's, application vendors who handle URI's can also do stricter validation themselves to prevent malicious URI's from being passed," Ness continued.

Juergen Schmidt, a researcher at Heise Security, noted that a number of programs are affected. The flaw, he wrote, "hits a lot of applications, not only Firefox (and mIRC) -- namely Skype, Acrobat Reader, Miranda, Netscape." Schmidt also hinted that it's likely that more programs could be affected.

Microsoft's security advisory didn't say when the update would be ready. Its monthly "Patch Tuesday" release came yesterday. The next one is scheduled for Nov. 13. From time to time, Redmond releases mid-cycle patches, but only in rare cases where the vulnerability is extremely serious.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.