Microsoft patches URI handling, DNS spoofing flaws

Microsoft patches URI handling, DNS spoofing flaws

Summary: Microsoft has finally shipped a comprehensive fix for a critical URI handling vulnerability that exposes Windows users to drive-by malware attacks.


Microsoft has finally shipped a comprehensive fix for a critical URI handling vulnerability that exposes Windows users to drive-by malware attacks.

Microsoft patches critical URI handling, DNS spoofing flawsThe patch, available in the MS07-061 bulletin, covers a remote code execution vulnerability in the way that the Windows shell handles specially crafted URIs that are passed to it.

This is the same bug that was being exploited via rigged PDF files more than a month ago.

If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.

The Windows shell in Windows Vista is not affected by this vulnerability.

[SEE: MS Outlook flaw adds new twist to URI handling saga ]

Microsoft said it has not identified any way to exploit this vulnerability on systems using Internet Explorer 6 but, as a defense-in-depth measure, the patch is being distributed all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed.

A second bulletin in this month's Patch Tuesday (MS07-062) provides cover for a spoofing vulnerability in Windows DNS Servers.

From the bulletin:

The Windows DNS Server service doesn’t provide enough entropy in its random choice of transaction values when it sends out queries to upstream DNS servers. An attacker who successfully exploited this vulnerability could gain information about the DNS server’s transaction IDs, and use that information to send malicious responses to DNS requests, thus redirecting Internet traffic from legitimate locations to an address of the attacker’s choice.

The DNS spoofing flaw carries an "important" rating.

Topics: Software, Browser, Microsoft, Networking, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The monthly reminder on why you might want to move to Vista.

    • Or

      away from Microsoft products.
      • If only

        Too bad there isn't a single (useful) OS that doesn't have critical flaws that require patching every once in a while. :(
        • re:if only

          You mean like all the critical flaws that Windows have right . Critical flaws everyday ,
          every week , every month , every year . It's a shame Microsoft can't get it's act
          together .
  • They have not fixed the problem.

    So far as I can tell from this bulletin they have not actually fixed the problem.

    "This security update addresses the vulnerability by changing the way that Windows shell handles invalid URIs."

    The problem is not in the way "the Windows shell" handles "invalid URIs". The problem is not in any URI handling code at all. The problem is in the way the Windows shell handles parameters to commands, by requiring the calling application to concatenate them in a single string and expecting the called application to parse this string and handle quoting the same way the program that called ShellExecute expected.

    What it seems like they have done is change the way the HTML control used by IE and the Windows shell handles URIs, to make some previously accepted URIs illegal, with the hope that these particular URIs are the extent of the problem.

    This is the same general approach they have used for all the systematic design flaws in HTML and shell behavior in Windows for the past 10 years. It has not worked in the past. Why do they believe it will work this time?
    • Web / Internet Flaw

      This is a general web / internet flaw. All the kludges to make the stateless web into something pseudo-stateful are finally coming home to roost.

      Solution = client should only display stuff that is happening on the server. None of this intertwined link crap from PDFs or media files, or whatever. Case closed.

      Linux might be better able to handle the fundamental shortcomings, but the client OS isn't the problem. It's a fundamental problem with the way the "web" has evolved.
      • Step back to 1991

        While the evolution of the web has been a bit ugly (especially to those who are privy to the underbelly), the net result has been fairly usable, especially considering how hard people are trying to sabotage the whole thing.

        I don't think going back to pure HTML (stateless as you said) is the solution. Having networked applications (such as Flash, Silverlight, Acrobat, Excel, etc.) will always be a desired function of the Internet. I sort-of agree that most of the problems came as a result of "hacking" the browser to support extensions that were not really thought through. I agree that Microsoft's general implementation for authentication with-in Office apps (aka Sharepoint) is pure garbage, but there is no better solution for Linux. I suppose we could go back to using FTP to get our PDFs but I prefer the shell to open it up for me. I think the problems are indeed fixed, as those who were using Vista were not exposed to this vulnerability. Hopefully technologies like Silverlight (Microsoft) and Flex (Adobe) will bring robustness to the rich Internet application such that we developers don't have to feel like hackers in order to bring the Web 3.0 experience to the populous.

        Quite likely this was a deliberate ploy to destroy Adobe by some evil Microsoft genius. Then again maybe an Apple loyalist has infiltrated Microsoft and is leading the crusade to destroy Microsoft from within. Or maybe Microsoft got lonely at the top and is letting Apple catch up (as part of Bill's philanthropic philosophy). Or maybe just like IBM before, they're getting big heads and think they can do whatever they want and they will always be top dog.
        • 1991? Try 1981... or earlier.

          This API goes back to MS-DOS, which got it from CP/M, which got it from ISIS and TOPS-10 and RT-11, which got it from the convention of passing job parameters to programs in the first card they read from a card reader...
      • It's a Windows problem.

        "This is a general web / internet flaw."

        The ability to retain persistent references to objects on servers in different security domains is an essential requirement for the web to exist. If you can't refer to an object on another site owned by another organization outside your control, then there would be no web. The details of how these references are made is irrelevant.

        Passing content from the website to external programs is not a requirement for the web, but it's also inevitable... the command line is how programs pass information to helper applications throughout the OS. Encoding external references in these parameters is also inevitable. making these operations safe is essential.

        And it is not possible to make them safe in Windows.

        Since this API is pervasive... it's the standard way parameters are passed to programs on Windows... the problem is not limited to the web: it has been exploited in attacks on servers, in attachments to email messages, and so on.

        So it's not a "web" problem. It's a "windows" problem.
  • RE: Microsoft patches URI handling, DNS spoofing flaws

    Every time a new MS o/s comes out a critical flaw in the old one is found which makes the new one more necessary, which over the years has become a trend which can not be ignored, as for the reason for this is unkown maybe the hype it receives isn't. Has anyone actually been attacked by anyone this way as of today?
    AND notice Vista is safe, and it took this long to identify the problem and cure it in xp?
    • You understand what you are suggesting, don't you?

      [i]Every time a new MS o/s comes out a critical flaw in the old one is found which makes the new one more necessary[/i]

      XP was out about 6 years before Vista was released. If you are suggesting that critical flaws only come out when a new OS is released, then XP had no critical flaws for 6 years. Not bad!!! If you believe that there have been critical flaws found in XP over the last 6 years, then Vista has nothing to do with it, this was just another critical flaw.

      It's funny to me that the zealots want to have it both ways: they see a conspiracy that critical flaws are announced when new Windows come out yet they also believe that critical flaws are announced every patch Tuesday. Pick one.

      snicker, smirk :)
      • You seem to be thinking...

        That (metaphorically) a Hyundai is a Nissan.

        What he was saying that he thinks that when Microsoft releases a new version of Windows that Microsoft suddenly finds a bunch of critical flaws that are most easily cured by upgrading to the new version. The weakness in his argument is that Microsoft is releasing patches for the "old windows."

          The problems are ever present no matter what you get and yes they are running fixes all the time but the HYPE the problems get changes when a new alternative is available, it is the tone of urgency, criticalness and danger to you life tone that appears, but this flaw was there 6 years as one anti zealot pointed out but doesn't seem the world has come to an end or has it and I didn't notice yet!?
      • as usual

        you missed the point! that when are the unfixable need to have a new o/s hype starts about flaws not that they have been around but how bad and nasty and Vista is clean? HOGWASH either vista has problems but how bad are they, wait till msw os ?2010 comes out and we will find out maybe. i STILL RUN WINDOW 2000 PRO AND WINDOWS 64XP AND MAYBE WILL GET VISTA IN THE NEAR FUTURE BUT NOT BECAUSE OF THE B.S. HYPE.
    • anyone been attacked? yes, and you have too

      you asked if anyone has been attacked? ... yes.. and I'm sure you have too, but didn't realize it..

      haven't you gotten any spam in the past month with PDF's in them?

      If so, chances are good that at least one of those PDF's was infected with a malicious URI ...

      To suggest that "because you don't see it, it doesn't exist" is something that teeters near the edge of stupidity. You should watch that YouTube video of the guy in a 3rd world country that doesn't believe in electricity because he can't "see" it, so he then touches one of the wires coming into a building he decided to climb...he survived and perhaps now will treat electrical wires with more respect... and so too will you about flaws that could be perpetrated on your machine without your direct knowledge!
      • YES

        BUT were you attacked, no you were baited did you bite no and neither did I. Read the thread and save you analysis till the conversation has been finished .Dismissing some one on the openning salvo will always lead you into ego maniacle beleif you are the only thinking person left and you are always flawless in your character analysis.
  • RE: Microsoft patches URI handling, DNS spoofing flaws

    For those installing the update and using Norton Internet Security software, a nasty surprise awaits them. It caused Norton to crash on startup attempt. When I removed the update, Norton started up normally. This is not the first time that this has happened. The solution then was to use the Norton removal tool to uninstall, reinstall the security update, and reinstall Norton. Unfortunately, this goes against your allowed activation count and is rather lengthy in execution. I have emailed Symmantec on this before I go through this again. I am awaiting response from Symmantec. BTW, I am running Windows XP Media Center Edition. For me to go with Vista Home Premium or Business edition, I will have to upgrade from 1 to 2 gigs of memory and purchase a graphics card, hardware expense of near $300. Of course Vista purchase from M$ is EXTRA!
  • URI exploit?

    It's in the hands of the application that the URI is registered to really, but if you insist on trying to patch it on the operating system level...

    - John Musbach
    John Musbach
  • Microsoft patches URI handling ...

    "Installing Microsoft Internet Explorer (IE) 7 on Windows XP or Server 2003 changes the way Windows handles Uniform Resource Identifiers (URIs). This change has introduced a flaw ..."

    This talk of the flaw existing for six years seems meaningless, if you believe the TCSA TA07-297B.
    • Get rid of IE 7 ...

      To complete my thought, started in my previous post, it looks like uninstalling IE 7 should eliminate this particular flaw. The URL to the TCSA report, mentioned in prior comments here, is: