Third-party Updates Not Enough to Plug Hole in Windows Shell
It's another humbling admission that would have been distinctly uncharacteristic of Microsoft just years ago. But this morning, the company's security response communications manager, Bill Sisk, told customers on the MSRC blog that recent "third-party" efforts to plug a potentially serious vulnerability between Internet Explorer 7 and Windows XP can't go far enough to solve the underlying problem.
"Third party applications are currently being used as the vector for attack and customers who have applied the security updates available from these vendors are currently protected," Sisk wrote, alluding to a recent patch from Adobe without referring to the company by name. "However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability - they just close an attack vector."
When Microsoft was developing IE7, it was with the intention of working better with Windows Vista, whose security routines at the kernel level had been bolstered substantially. Vista does more than XP did to parse malformed URLs, and thus IE7 ended up leaving more of that job to Vista.
But of course, not everyone upgraded to Vista. As a result, a parsing feature that detected malformed URLs with embedded JavaScript code that had worked properly for IE6 and XP, ended up being missing when users upgraded to IE7. That JavaScript code is capable of running executable code unchecked, when a URL is intentionally malformed to include a percent mark in the wrong location.
Sisk said Microsoft teams worldwide are working on a solution to the problem, which he confirmed once again was with the ShellExecute() API function, but he offered no timeline for that resolution to be made public.
"To help protect yourself during the interim," he wrote, "we continue to recommend that you should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources and/or visiting untrusted websites. This is absolutely one of the most effective ways to help protect yourself from a variety of threats on the Internet today."