X
Tech
Home Tech Security

MS Outlook flaw adds new twist to URI handling saga

According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.
Written by Ryan Naraine, Contributor
MS Outlook flaw adds new twist to URI handling saga
For months, Microsoft has taken a firm hands-off approach to the URI protocol handling vulnerability saga, shrugging off suggestions that there's a flaw in Windows that needs to be fixed.

Now comes word that two Microsoft products -- Outlook Express 6 and Outlook 2000 -- have joined the growing list of Windows applications that can be used as attack vectors.

According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.

[ SEE: How to configure Internet Explorer to run securely ]

"Microsoft is now affected by [its] own design change," Kristensen said in an e-mail exchange." We hope that Microsoft now chooses the right path and creates a general fix for Windows [or] IE7 rather than start patching all their own applications and ask third party vendors to do the same," he added.

MS Outlook flaw adds new twist to URI handling saga

A spokesman for Redmond's security response team said the company is aware of what is described as "a potential issue in the way that Windows handles URLs passed in from other applications.

He also dropped a strong hint that this is something that might require a comprehensive Windows fix.

"Microsoft is continuing its investigation into this issue. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing an update or additional guidance for customers."

[UPDATE: The company has  issued a formal security advisory with more information on the risks.  The advisory does not include any pre-patch workarounds. ]

That's a far cry from this statement from Microsoft in July:

Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.

An updated advisory from Secunia lists the following applications as attack vectors on fully patched Windows XP SP2 and Windows Server 2003 SP2 systems (with IE 7 installed):

  • Firefox version 2.0.0.5
  • Netscape Navigator version 9.0b2
  • mIRC version 6.3
  • Adobe Reader/Acrobat version 8.1 and prior (when opening PDF files)
  • Outlook Express 6 (e.g. when following specially crafted links in VCards)
  • Outlook 2000 (e.g. when following specially crafted links in VCards)

ALSO SEE:

Command injection flaw found in IE: Or is it Firefox?

IE-to-Firefox flaw debate rages: Ex-Microsoft security strategist weighs in

Mozilla caught napping on URL protocol handling flaw

Mozilla fixes its end of URL protocol handling saga

Adobe confirms PDF backdoor

Editorial standards
Show Comments

Related

ibm8gettyimages-1659447431

The best free AI courses (and whether AI 'micro-degrees' and certificates are worth it)

Front of the iPhone 15 Pro with Nomad Modern Leather case.

I changed these 10 iPhone settings and improved battery life dramatically

Meta Quest 2 virtual reality headset

Meta permanently slashes the Quest 2's price again, dropping it to an all-time low