After claiming that a recently discovered flaw in Windows was a problem with third party software, Microsoft this week reversed course and will now fix the problem. The flaw is found in a component of the OS called URI (Uniform Resource Identifier) handling, which allows Web browsers to launch applications via hyperlinks in Web pages.
A security researcher discovered the Windows URI flaw back in July, noting that the component could trick Internet Explorer (IE) 7 into sending a malformed message to Mozilla's Firefox browser, thus triggering the remote execution of malicious code. The researcher, Thor Larholm, described the flaw as a "cross browser command injection vulnerability for Internet Explorer" at the time.
Since then, a number of other security researchers, and no doubt those with some more nefarious purposes, have discovered similar problems with other applications, including Adobe Reader and Outlook Express. These discoveries suggested that the problem wasn't with a single application, but rather with the way that Windows hands off messages between a Web browser and other applications.
When the issue came to light months ago, Microsoft argued that third party application makers who open up their solutions to a Web browser were responsible for ensuring that these inter-applications messages were safe. Security researchers, however, have almost uniformly disagreed, opining that Windows should handle this functionality.
Microsoft now agrees with that assessment and will issue a fix. Until that fix is available, the company has made available a security advisory alerting customers to the risks caused by the flaw, which affects Windows XP and 2003 systems running IE 7. (The flaw does not affect Windows Vista users, Microsoft notes.) There doesn't appear to be any specific workaround, however.
Microsoft Security Advisory (943521)