We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft pressured into fixing Windows flaw

Will patch URI security flaw after criticism

Microsoft will patch a Windows bug blamed for a handful of critical vulnerabilities in the Windows operating system software.

The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs - email or instant messaging clients, for example - through their browsers by clicking on specially crafted Web links.

To date, researchers have found ways to exploit this type of vulnerability in many products including Firefox, Outlook Express 6 and Adobe Reader 8.1. In July, for instance, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorised software on a victim's PC.

Later, other researchers began exploring ways of misusing other programs to achieve similar results.
See also: Microsoft patches IE, Outlook and Word flaws

The problem lies in the way the PC's software "sanitises" these links to make sure attackers cannot successfully insert malicious code into them. Its solution has been a matter of dispute.

Some security experts have said that Windows could do a better job in checking the links to make sure they were not malicious; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.

The software vendor has now apparently reversed that position.

"Since we began investigating this situation in July there's been more discussion on how to potentially use this in attacks," wrote Microsoft's Jonathan Ness in a Wednesday blog posting.

"So to help address overall confusion between these two issues, we've released Security Advisory 94351 to alert customers to the risks associated with this issue, and to let folks know we're working on a security update."

The update will change a Windows function known as ShellExecute() so that it sanitised the links it is processing, he added. In addition to Ness's blog posting, Microsoft has released a security advisory on the issue.

Microsoft's public relations agency was not immediately able to answer questions relating to this issue Wednesday.

How far these changes will go to disable these types of bugs depends on how Microsoft implements its changes, but the software vendor will be unable to fix all these bugs, said Nathan McFeters, a security researcher with Ernst & Young Global Ltd. who has been researching the issue. That's because the way these links are handled by the applications such as AOL Instant Messenger or Trillian is outside of Microsoft's control.

For example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the intended use of the application, we are just abusing this functionality," McFeters wrote in an email interview.

"Microsoft can't fix the fact that the way these URI are used can cause flaws."

Microsoft did not say when it planned to patch the URI protocol handling flaw. Its next set of security updates is due November 13.

Get the latest PC security news, reviews and updates at Security Advisor


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...