Microsoft warns of attacks on Windows URI, URL handling flaw
In an updated security advisory, the Redmond, Wash.-based corporation warned of attacks using a URI and URL handling flaw in Windows XP and Windows Server 2003 with Internet Explorer 7 (IE7) installed.
Microsoft said Thursday that it is also aware of proof-of-concept code designed to exploit the flaw, which the corporation published an advisory about earlier this month.
The vulnerability occurs when Windows does not properly handle specially crafted URIs or URLs passed to it when IE7 updates a Windows component. Windows then modifies the interaction between IE and Windows Shell, according to Microsoft's updated advisory.
An attacker could set up a malicious link in an email message to exploit the vulnerability, according to Microsoft.
The flaw does not affect Windows Vista or any operating system where IE7 is not installed.
Bill Sisk, Microsoft's Security Response communications manager, said Thursday on a company blog that non-Microsoft programs are being used in reported attacks.
“Third-party applications are currently being used as the vector for attack, and customers who have applied the security updates available from these vendors are currently protected,” he said. “However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third-party updates do not resolve the vulnerability – they just close the attack vector.”
A Microsoft spokesperson referred queries for comment to the blog posting and advisory.