A member of Microsoft's Internet Explorer team says it is "very difficult" to put protections in place to block the protocol handlers attack vector exposed by the recent IE-to-Firefox code execution vulnerability.
Markellos Diorinos, a product manager on the IE team, insists it is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.
This stance is in sharp contrast to Mozilla's position that this is a critical IE vulnerability.
In an entry to the IE team blog, Diorinos writes:
Custom URL handlers enable third party applications (such as streaming media players and internet telephony applications) to directly launch from within another application - commonly a web browser but even using a command line from Start > Run. For example, the “mailto:” custom URL handler enables you to click on a link and start writing an email. To make these custom URL handlers more useful, they can accept parameters that provide more specific instructions. For instance mailto: accepts parameters like subject and body.
The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.
He did not say specifically that Microsoft will not be issuing an IE patch. Instead, Diorinos pointed out that Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links.
This means that Vista users running IE gets a roadblock that reads:
"A website wants to open web content using this program on your computer"
However, Windows customers running IE 7 on Windows XP get no such warning.