Hi malware fighters,

We can discuss days if the URI problem is a Windows problem after all or not, but after Firefox that temporarily fixed the problem other software is also being troubled by this vulnerability:
http://www.heise-security.co.uk/news/96982

It almost seems Windows creates systematical problems for other software…

polonus

And MS isn’t prepared to admit that the problem is theirs, no change there then.

As yet, Microsoft does not see any reason to react. After contacting the Microsoft Security Response Team on this issue, we received the reply:

“After its thorough investigation, Microsoft has revealed that this is not a vulnerability in a Microsoft product.”

In other words, a large number of Windows XP users being affected by a serious security problem, which only occurs if they install Internet Explorer 7 and is not present at all in Vista, is not sufficient to justify an update. Microsoft prefers to sit back and watch while users and application developers struggle to secure Windows XP systems that behaved perfectly before IE7 was installed.

So I think you can now see my reluctance to install IE7 on my XP Pro system.

is not present at all in Vista

I haven’t the slightest idea why (I have neither IE7 or Vista) just that it does, but the problem wasn’t (isn’t) there with IE6 and XP as has been documented in the above and a number of other reports, etc.

Somehow the integration of IE7 into XP adds additional functionality since IE of all recent flavours are an integral part of the OS, so an update to IE7 is going to make changes to XP. I don’t know if this is the fact that XP doesn’t have UAC that might somehow block any such running other applications from a URL turned into a command.

Adobe confirms PDF backdoor, offers unsupported workaround

Custom URL handlers enable third party applications (such as streaming media players and internet telephony applications) to directly launch from within another application - commonly a web browser but even using a command line from Start > Run. For example, the “mailto:” custom URL handler enables you to click on a link and start writing an email. To make these custom URL handlers more useful, they can accept parameters that provide more specific instructions. For instance mailto: accepts parameters like subject and body.

The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.

He did not say specifically that Microsoft will not be issuing an IE patch. Instead, Diorinos pointed out that Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links.

This means that Vista users running IE gets a roadblock that reads:

“A website wants to open web content using this program on your computer”

However, Windows customers running IE 7 on Windows XP get no such warning.
But you can also tweak FF in such a way that the browser give these kind of alerts.
For the bug see:
https://bugzilla.mozilla.org/show_bug.cgi?id=384384
But to say the problem does not exist in Vista is another thing…

polonus

mIRC is affected too
just try doubleclick following line

 mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat 

pretty evil against newbie users …
btw. this way u may run any application including paramters (ftp,telnet or w/e you know is on any wXP system)

and who knows what else is vulnerable especially if that application allows active url/mailto links …

tho it seems MirandaIM 0.7 unicode is safe

Hi Dwarden,

After initial denial the position of M$ on this hole is gradually shifting. Now they state that a patch is planned: http://www.microsoft.com/technet/security/advisory/943521.mspx
They stress that the vulnerability does not exist in Vista, and there is a serious hole in IE7 running on Windows eXPerience. What more do we have to “experience” in these realms with this M$ OS?

polonus

Slowly but surely we are getting to the real culprit, perhaps ;D

Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.

We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is investigating the public reports.

This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed.

Talk about blind, deaf (“We are not aware of attacks that try to use the reported vulnerability”), there have been reported issues for some time and even so why wait until attacks are know about. Do they really have to wait for attacks that effect their ‘customers’ before closing a vulnerability, it beggars belief.

So now we are in the investigation phase, I just wonder how long it will be until a patch is issued, whilst this vulnerability is known publicly before it is exploited ???

Boy oh Boy, wonder what will be next? Interesting information.

I think you can be sure it won’t be an open admission by MS.

3rd party fix , very experimental and ‘only on own risk’

http://spacebunny.xepher.net/hack/shellexecutefiasco/

It sounds like the cure could be more dangerous than the disease… ???

looks like Proof of Concept code is now in the wild for that Adobe hole …
http://www.vnunet.com/vnunet/news/2201292/exploit-surfaces-unpatched