MS Outlook flaw adds new twist to URI handling saga

Summary:According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.

MS Outlook flaw adds new twist to URI handling saga
For months, Microsoft has taken a firm hands-off approach to the URI protocol handling vulnerability saga, shrugging off suggestions that there's a flaw in Windows that needs to be fixed.

Now comes word that two Microsoft products -- Outlook Express 6 and Outlook 2000 -- have joined the growing list of Windows applications that can be used as attack vectors.

According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.

[ SEE: How to configure Internet Explorer to run securely ]

"Microsoft is now affected by [its] own design change," Kristensen said in an e-mail exchange." We hope that Microsoft now chooses the right path and creates a general fix for Windows [or] IE7 rather than start patching all their own applications and ask third party vendors to do the same," he added.

MS Outlook flaw adds new twist to URI handling saga

A spokesman for Redmond's security response team said the company is aware of what is described as "a potential issue in the way that Windows handles URLs passed in from other applications.

He also dropped a strong hint that this is something that might require a comprehensive Windows fix.

"Microsoft is continuing its investigation into this issue. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing an update or additional guidance for customers."

[UPDATE: The company has  issued a formal security advisory with more information on the risks.  The advisory does not include any pre-patch workarounds. ]

That's a far cry from this statement from Microsoft in July:

Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.

An updated advisory from Secunia lists the following applications as attack vectors on fully patched Windows XP SP2 and Windows Server 2003 SP2 systems (with IE 7 installed):

  • Firefox version 2.0.0.5
  • Netscape Navigator version 9.0b2
  • mIRC version 6.3
  • Adobe Reader/Acrobat version 8.1 and prior (when opening PDF files)
  • Outlook Express 6 (e.g. when following specially crafted links in VCards)
  • Outlook 2000 (e.g. when following specially crafted links in VCards)

ALSO SEE:

Command injection flaw found in IE: Or is it Firefox?

IE-to-Firefox flaw debate rages: Ex-Microsoft security strategist weighs in

Mozilla caught napping on URL protocol handling flaw

Mozilla fixes its end of URL protocol handling saga

Adobe confirms PDF backdoor

Topics: Security, Browser, Collaboration, Enterprise Software, Microsoft, Operating Systems, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.