Researcher posts unofficial patch for Windows URI bug

Beats Microsoft to the patch.

A researcher beat Microsoft to the patch punch over the weekend by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7.

KJK::Hyperion, a.k.a. "Hackbunny," a researcher believed to live in Italy, posted a link to the 16KB patch on both his Web site and the Full Disclosure security mailing list Sunday. KJK's patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalization of valid URLs. URL normalization, which can include tasks such as changing a URL to all-lowercase and stripping out the "www" part of the address, is a technique used by search engines to reduce indexing of duplicate pages.

Users who apply the patch do so at their own risk, KJK warned. "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care," he said in the notes accompanying the fix. "It has a very good chance of misbehaving and making your system unusable."

His patch targets the Universal Resource Identifier (URI) vulnerability that Microsoft acknowledged last week. The company's security group issued an advisory that spelled out the problem, which could allow attackers to compromise systems running Internet Explorer 7 if users clicked on malicious links embedded in e-mail messages or posted on a Web page. Microsoft also said it would release a fix but would not commit to a schedule.

"The update will be part of our normal product update process [and] will be released as soon as we feel it's ready," said Mark Miller, director of the Microsoft Security Response Center (MSRC), last week.

Microsoft typically takes a dim view of third-party patches like the one KJK posted. Although it did not immediately reply to a request for comment, in past cases, it has cautioned users against deploying any unsanctioned fix.

Symantec gave much the same warning to customers of its DeepSight threat network this week. In the advisory, Symantec said it had not been able to verify the integrity of KJK's work and told users to "use extreme caution when using patches from third-party sources."

The unsanctioned patch can be downloaded from KJK's Web site.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?