Microsoft to fix Window's URI security flaw after criticism

Microsoft plans to fix a bug in the Windows operating system that has been blamed for a handful of critical vulnerabilities in Windows software. The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs -- e-mail or instant messaging clients, for example -- through their browsers by clicking on specially crafted Web links. In July, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim's PC.

Later, other researchers began exploring ways of misusing other programs to achieve similar results. To date, researchers have found ways to exploit this type of vulnerability in many products including Firefox, Outlook Express 6, and Adobe Reader 8.1. The problem lies in the way the PC's software "sanitizes" these links to make sure attackers cannot successfully insert malicious code into them. Its solution has been a matter of dispute. Some security experts have said that Windows could do a better job in checking the links to make sure they were not malicious; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.

View: The full story
News source: InfoWorld

Report a problem with article
Previous Story

Red Hat Opens Portal For Linux Partners

Next Story

Microsoft Misses the Search Bronze Medal


Commenting is disabled on this article.

Fixed the last sentence for you:

...; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched except if those products were written by Microsoft

Programs should not blindly accept any external input (in this case, command line parameters). This is an elementary security rule. Oh well, Microsoft is no stranger to fixing others' mistakes. ( has copious examples)

Either way, instead of trying to fix the blame on others, they just need to fix the problem.

Mozilla did their part, and it is good to see Microsoft no longer dragging their heels and fixing their end.