Security Flaw Affects XP, Windows Server 2003, IE7

Recently discovered security hole in Windows XP and Windows Server 2003 uses Internet Explorer (IE) 7 as the attack vector; fix is coming.

Microsoft has shouldered some responsibility for a recently discovered security hole in Windows XP and Windows Server 2003 that uses Internet Explorer (IE) 7 as the attack vector, announcing a forthcoming update to fix the vulnerability.

Microsoft yesterday released Microsoft Security Advisory 943521, detailing the exploit. The vulnerability is specific to XP, Windows 2003 and IE 7. Vista and earlier versions of IE are safe, according to Microsoft.

It's caused by how Windows deals with URLs or URIs (uniform resource identifiers), and could lead to an unsuspecting user clicking on a hyperlink that results in malicious code being run on the user's machine. The flaw was apparently introduced in the upgrade from IE 6 to IE 7, and changes how Windows parses URIs, causing it to potentially choose the wrong application to handle a protocol.

US-CERT (The United States Computer Emergency Readiness Team), on its Website, gave an example of how the flaw could be exploited: "For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands."

Norwegian researcher Thor Larholm in July first brought the flaw to light. At that time, Microsoft blamed third-party applications for the vulnerability, saying applications need to be responsible for their own protocol handling. Now it seems to be accepting at least part of the blame for the defect, while still pointing out developers' responsibilities.

On the Microsoft Security Response Center Website, Jonathon Ness blogged about next steps. "Our plan is to revise our URI handling code ... to be more strict," he wrote. "While our update will help protect all applications from malformed URI's, application vendors who handle URI's can also do stricter validation themselves to prevent malicious URI's from being passed," Ness continued.

Juergen Schmidt, a researcher at Heise Security, noted that a number of programs are affected. The flaw, he wrote, "hits a lot of applications, not only Firefox (and mIRC) -- namely Skype, Acrobat Reader, Miranda, Netscape." Schmidt also hinted that it's likely that more programs could be affected.

Microsoft's security advisory didn't say when the update would be ready. Its monthly "Patch Tuesday" release came yesterday. The next one is scheduled for Nov. 13. From time to time, Redmond releases mid-cycle patches, but only in rare cases where the vulnerability is extremely serious.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft Bolsters Windows IoT with NXP and SQL Server Support

    Microsoft's Internet of Things (IoT) product line is continuing to grow, with a few new developments highlighted this week.

  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.