Microsoft acknowledges security problem with URI bug

The URI (Uniform Resource Identifier) handler is a technology that lets Windows users launch programs, like e-mail or instant messaging clients, through their browsers by clicking on Web links.

For example like ftp://, http://, irc:// (mIRC), aim:// (AOL Instant Messenger), hcp:// (Windows HelpCenter) and mms:// (Windows Media Player)

The problem lies in the way the PC's software "sanitizes" these links to make sure attackers cannot successfully insert malicious code into them. Internet Explorer 7 has changed how Microsoft Windows parses URIs. Systems with Internet explorer 6 didn't have this problem.
This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. This flaw appears to rely on having a "%" character in the URI.

For example mailto:% 00% 00../../../../../windows/system32/cmd".exe ../../../../../../windows/system32/calc.exe " - " blah.bat

Afterwards, other programs were discovered including Adobe's Acrobat Reader, Miranda, an IM client, to be vulnerable to the same attack.
Microsoft insisted that the security flaw was in the programs and not in their OS. Things changed when Microsoft applications including Outlook Express and Outlook 2000 also seemed affected by the problem. Soon after, a discussion thread started on the Full disclosure mailinglist, forcing Microsoft to change their response.

No comments: