Microsoft bows to criticism, will fix Window's URI security flaw

Microsoft plans to fix a bug in the Windows operating system that has been blamed for a handful of critical vulnerabilities in Windows software.

The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs -- e-mail or instant messaging clients, for example -- through their browsers by clicking on specially crafted Web links.

In July, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim's PC.

Later, other researchers began exploring ways of misusing other programs to achieve similar results. To date, researchers have found ways to exploit this type of vulnerability in many products including Firefox, Outlook Express 6, and Adobe Reader 8.1.

The problem lies in the way the PC's software "sanitizes" these links to make sure attackers cannot successfully insert malicious code into them. Its solution has been a matter of dispute. Some security experts have said that Windows could do a better job in checking the links to make sure they were not malicious; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.

The software vendor has now apparently reversed that position.

"Since we began investigating this situation in July there's been more discussion on how to potentially use this in attacks," wrote Microsoft's Jonathan Ness in a Wednesday blog posting. "So to help address overall confusion between these two issues, we've released Security Advisory 94351 to alert customers to the risks associated with this issue, and to let folks know we're working on a security update."

The update will change a Windows function known as ShellExecute() so that it sanitizes the links it is processing, he added. In addition to Ness's blog posting, Microsoft has released a security advisory on the issue.

Microsoft's public relations agency was not immediately able to answer questions relating to this issue Wednesday.

How far these changes will go to disable these types of bugs depends on how Microsoft implements its changes, but the software vendor will be unable to fix all these bugs, said Nathan McFeters, [cq] a security researcher with Ernst & Young Global who has been researching the issue. That's because the way these links are handled by the applications such as AOL Instant Messenger or Trillian is outside of Microsoft's control.

For example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the intended use of the application, we are just abusing this functionality," McFeters wrote in an e-mail interview. "Microsoft can't fix the fact that the way these URI are used can cause flaws."

Microsoft did not say when it planned to patch the URI protocol handling flaw. Its next set of security updates is due Nov. 13.