The Redmond, Wash.-based corporation revealed that it is working on a patch for the issue, and is not aware of any attacks exploiting the flaw.
Mark Miller, Microsoft director of security response communications, said Wednesday in a statement that a remote attacker could take control of a PC by tricking a user into clicking on an emailed link.
“In order for this attack to be carried out, a user must trigger an unvalidated, specially crafted URL or URI in an application,” he said. “For example, a user could click on a link in an email message, which could allow arbitrary code to be run in the context for the logged-on user.”
The vulnerability exists because IE7 updates a Windows component, modifying the relationship between the browser and Windows shell when handling URLs and URIs. Applications that pass the URIs or URLs on to Windows, such as browsers, can be leveraged for exploitation, according to Microsoft's advisory.
The vulnerability does not exist on PCs running Windows Vista, or those that do not have IE7 installed.
Microsoft credited researchers Carsten H. Eiram of Secunia, Aviv Raff of Finjan, and Petko Petkov of Gnucitizen with reporting the vulnerability.
Jonathan Ness, a member of the Secure Windows Initiative Team, said Wednesday on the Microsoft Security Response Team blog that the software giant is working on a fix, noting that the issue “is not a vulnerability in any specific protocol handler.”
“Our plan is to revise URI handling code within ShellExecute() to be more strict. While our update will help protect all applications from malformed URIs, application vendors who handle URIs can also do stricter validation themselves to prevent malicious URIs from being passed to ShellExecute(),” he said. “We have also seen several vendors introduce additional validation as a way to protect their customers from this issue.”
Ness said that this issue is different from a protocol-handling flaw discussed by Microsoft researchers in July.
Petkov told SCMagazineUS.com today that he and Raff discussed the issue with Microsoft, but he did not blog about it because of its severity.
This type of issue creates a difficult situation for Microsoft, Petkov said.
“I believe that [Microsoft officials] fully realize the potential dangers and they are trying to address the issue without compromising the accessibility level of the operating system,” he said via email. “It is a tough problem, which IMHO is not entirely Microsoft's problem. After all, nobody blames SQL injection problems on PHP and ASP. Likewise, it is the developer's responsibility to sanitize and make sure that only URLs are passed to functions that exclusively handle URLs only.”
Yuval Ben-Itzhak, Finjan chief technology officer, told SCMagazineUS.com today that Microsoft responded to his company's disclosure in “a very short time.”
“You can find [URI handling flaws] on many other applications; it's a very common mistake of developers,” he said, adding that Finjan will divulge more information on the flaw after Microsoft releases a patch.
Symantec raised its ThreatCon meter to Level Two on Wednesday, citing Microsoft's flaw disclosure, warning users to be wary of unsolicited or suspicious documents or links.
“Since the software fails to sufficiently validate URIs and URLs, attackers can execute arbitrary commands in the context of the currently logged-on user,” Symantec said in its explanation of the escalation. “If IE7 is installed, malicious URIs may be passed to the ShellExecute() function via several third-party applications like Adobe Acrobat Reader, mIRC, Mozilla Firefox, Skype, or Miranda IM.”