IE 7 bug reopens debate over patch responsibilities

Researchers argue over who to blame; Microsoft again denies there's a bug

Security researchers are again arguing over who is responsible -- Microsoft or third-party developers -- for protocol-handling bugs after a researcher said late last week that Internet Explorer 7 can be used to trick users into launching malware.

Posting to the Full Disclosure mailing list, Juergen Schmidt, a researcher at Heise Security, blamed IE 7 for passing invalid Uniform Resource Identifiers (URI) to Windows XP. Specifically, said Schmidt, IE 7 accepts URLs from other applications that include the "%" [percent] character, which can launch software or scripts on users' machines if they click on a malformed link.

According to Schmidt and others, the earlier IE 6 doesn't have the bug, indicating that something broke between versions. "Post-IE7 has a flaw/threat/vulnerability it hasn't had pre-IE7," said Thierry Zoller, a penetration tester at German security firm n.runs.

Windows' URI protocol handling, the technology that lets browsers run other programs via commands in the URL, has been criticized since July, when Norwegian researcher Thor Larholm demonstrated how IE and rival Firefox could be used to run malicious code. Even then, researchers feuded over responsibility. Mozilla patched Firefox several days later, but Microsoft declined to fix IE, saying that it didn't consider the issue a vulnerability in its software.

Schmidt identified several applications, including Adobe System's Acrobat Reader, the Netscape browser and Miranda, an IM client, that he said improperly handle URIs with the percent symbol, and he hinted that there were plenty more.

His post drew reaction on Full Disclosure. "The applications are accepting arbitrary input and not validating correctly," said Roger Grimes, a security consultant who said he works at Microsoft. "How is that a Microsoft or Windows problem? How could Microsoft determine ahead of time what is and isn't [a] legitimate character to pass to applications they don't own?"

"How is that _not_ a Windows Problem?" replied Zoller. "It's not that they should decide what to pass or not to pass on, the problem in the example Juergen sent is [that] they pass internally, not to third-party applications."

"If the application is what exposes the URI-handling routine to untrusted code from the Internet, then it's the application's job to make sure that code is trusted before exposing system components to its commands, no?" asked another user who went by the name "Geo."

Microsoft denied responsibility for any vulnerability in July and repeated that to Schmidt after he asked if the company's security center would address the problem. "After its thorough investigation, Microsoft has revealed that this is not a vulnerability in a Microsoft product." The company was not available early this week to confirm that its previous comment remains its official position.

Last summer, however, an IE program manager said it would be "very difficult" to retroactively add checks for possibly invalid URIs and, citing the "limitless variety of applications and their unique capabilities," pointed to the those applications as the real source of the problem. "It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters," said Markellos Diorinos.

Some security researchers don't see it the same way. For example, Symantec issued an alert to customers of its DeepSight threat system, warning them of the bug and putting the onus on Microsoft. "This issue is due to a flaw in Microsoft Windows when it attempts to determine which application should be utilized when interpreting protocol-handlers such as 'mailto:', 'http:', and others," the alert read.

"The fundamental flaw here is that Windows' built-in URI handler doesn't invoke external programs correctly, resulting in a shell-injection attack," argued Glynn Clements on the Full Disclosure thread begun by Schmidt. "Modifying individual programs to protect against a shell-injection bug in Windows' URI handler is a work-around, not a fix."

According to a notice it gave last week, Microsoft will patch Internet Explorer tomorrow to fix what it has described as a "critical" vulnerability. Although the expected security update will include changes to IE 7, Microsoft does not specify the vulnerabilities it will address before it posts its patches.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?