main
Report a problem

Microsoft to fix Window's URI security flaw after criticism

Daniel Fleshbourne   on 11 October 2007 - 13:00 · 6 comments & 5139 views

Advertisement (Why?)
Microsoft plans to fix a bug in the Windows operating system that has been blamed for a handful of critical vulnerabilities in Windows software. The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs -- e-mail or instant messaging clients, for example -- through their browsers by clicking on specially crafted Web links. In July, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim's PC.

Later, other researchers began exploring ways of misusing other programs to achieve similar results. To date, researchers have found ways to exploit this type of vulnerability in many products including Firefox, Outlook Express 6, and Adobe Reader 8.1. The problem lies in the way the PC's software "sanitizes" these links to make sure attackers cannot successfully insert malicious code into them. Its solution has been a matter of dispute. Some security experts have said that Windows could do a better job in checking the links to make sure they were not malicious; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.

View: The full story
News source: InfoWorld

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 6 additional comments
#1 vetmarkjensen on 11 Oct 2007 - 13:42
Either way, instead of trying to fix the blame on others, they just need to fix the problem.

Mozilla did their part, and it is good to see Microsoft no longer dragging their heels and fixing their end.
#2 22COOL on 11 Oct 2007 - 14:31
There will always be something else, I see this as never ending really.
#3 Pippin666 on 11 Oct 2007 - 15:32
A never ending story. Even the Enterprise got hacked a couple of time.

Pip'
#4 darkmark327 on 11 Oct 2007 - 19:35
Programs should not blindly accept any external input (in this case, command line parameters). This is an elementary security rule. Oh well, Microsoft is no stranger to fixing others' mistakes. (http://blogs.msdn.com/oldnewthing has copious examples)
#5 Azmodan on 12 Oct 2007 - 04:00
Finally? After negating this for months, they just decide to fix it?

Are they drunk?!
#6 +mrbester on 12 Oct 2007 - 12:03
Fixed the last sentence for you:
Quote -
...; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched except if those products were written by Microsoft

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net