Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Patches DNS, URI-Handling Flaws



 By: Lisa Vaas
2007-11-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft has finally patched the critical URI-handling flaw that has dogged Windows users since July.

Microsoft has finally patched the critical URI-handling flaw that has been haunting Windows users since it was disclosed—and blamed on Firefox—in July.

As it turned out, Firefox was only one of a slew of attack vectors for this flaw, which has been circulating in the wild via maliciously rigged PDF files and other exploits since at least late October.

All supported versions of Microsoft Windows XP and Server 2003 with Internet Explorer 7 are prone to this critical vulnerability, which a remote attacker can exploit to hijack a system if he or she can trick a victim into following a malicious URI.

Known attack vectors include following URIs in these applications:

  • Mozilla Firefox in versions prior to 2.0.0.6
  • Skype in versions prior to 3.5.0.239
  • Adobe Acrobat Reader 8.1
  • Miranda 0.7
  • Netscape 7.1
  • mIRC chat client for Windows

Resource Library:
On Oct. 10, Microsoft released Security Advisory 943521 about the vulnerability and public reports of remote code execution and said a patch was in the works.

The patch is finally here, coming in Microsoft security bulletin MS07-061—the only one to be marked critical out of two security updates released on the companys Nov. 13 Patch Tuesday.

The URI-handling issue occurs when applications pass URIs to the operating system to handle. According to an advisory sent to Symantecs Deep Sight subscribers, URIs containing percent-encoded characters, directory-traversal sequences, and double filename extensions can trigger the execution of applications.

"This issue stems from a flaw in Microsoft Windows when it tries to determine which application should be launched when interpreting protocol-handlers such as mailto:, http:, and others," Symantec said in its advisory. "The issue is caused by a change in how interactions are handled between Internet Explorer and Windows Shell. Third-party applications that do not perform adequate input validation on URIs may serve as attack vectors for this vulnerability."

Installing this update should be a priority, given how easy it is to exploit, experts are saying.

"With the ease of exploitation, the availability of public proof-of-concept code, and further attention that this vulnerability is receiving, we will likely begin to see more exploitation of this issue in the wild," Symantec said back in October.

"This is one Id say get it installed ASAP because its being actively exploited," said Shavlik Technologies CTO Eric Schultze.

The second security update to come on Patch Tuesday, MS07-062, is rated important. It addresses an important vulnerability in DNS that could allow spoofing in Windows Server 2003 and Windows Server 2000. It replaces an update put out earlier this year, MS07-029, addressing the vulnerability by increasing the randomness of DNS (Domain Name System) transaction IDs.

The DNS spoofing vulnerability is not being actively exploited.

One patch that was being looked for with eager eyes—a patch for a Macrovision flaw in a driver on Windows Server 2003 and Windows XP that was being exploited in the wild as of early November—was missing.

Schultze said that he expects to see an out-of-band patch coming later in the month for the Macrovision issue, given that its being actively exploited.

On top of security releases, Microsoft has also released three high-priority updates on Microsoft Update and WSUS (Windows Server Update Services).

The WSUS updates came just in time, given that without them, many users wouldnt be able to update on Patch Tuesday. The problem arose from Microsoft having modified content for WSUS and having in the process included a product name with double quotes around it. Microsoft then apparently failed to test the data after putting it in, given that a product with double quotes breaks the SQL Server databases process for WSUS.

Starting over the weekend, WSUS broke and was only fixed midmorning on the eve of Patch Tuesday.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Microsoft Patches DNS, URI-Handling Flaws
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r۸j9kmH)ٖcؖēԩRQ$$qLZ$e[3g~b:?qtMZ%w-Dh F?;;~$rȹklJv'[D;;?.P|gSo92p=z#m)>M3ȩ 55vGl&J~x'A :#:@P5uΚ]ٚ#7Gp2 X -$0krZ'jZ6(CLez ZwO~Vh{⻶e}ׇH;Wnp{#a_ʞM"p8$j>w\gO0Ə;yqL%X䈍YR0wS&>dRrpXda=}ٗe̛ 4a[Mޡl7Z*մ*rM)]rLη-gvo*syÝ1_gJY4Ew/ڧ9(֝` nKVj0Ns#ϭwq@ΰ{A Fb;}" @D%\.&I"0i5tt4_MBn $>Z]$/#t2 +?9V'ZUo7#?x?-|`kh2`cRZIj=OǝޗPY$Y.qz;?#<--˭%wܻG)H̛cM|`I`6M2Xc]NSjVmT7o`H2 &4 Vfm=w z a6z@u\ aלش 6,% hJqOd$e2TI0%mt*軤(If0[A0<^f/r.i }th8y*^뻹Ȇ4ljesJVd];5E֏FZTpx3jOWcҽ\t;6?@WbyƆƇj",$ uuUʵt ?XoET෰hc2ud8İ:AGAticšwh4N@7h`C=҉:L  w|hx:4,Ab@&a`M?Dm| &>r\l 8d(n)sɹsP&z5Hˋ` V<2/?>fn@ }S(|`OA[9nc@] CRRP$S]Pv9B B!\0 HV(􎄰R1iJLO:Tt{B#}T/΍5aGe-n^ $ d3CCd0U Q򍜈<"`&ˑea*0pRx5Vn`oʁUt@ބph,a8Bdp=YI ȱ&C K,4 ?;\ f7!q<-%st0L=f"hZ5g{0]@k9t<͉qlc9_A:\!4Lh,G7v9>5\'1nUM\4fX*p=N?>yBO,\naDP$7:O̗HڶMS}77BgsݐC/2$\^&VAB1 6d:l';oW Hݤ|r%e{R{`ELE2a5=%ӻnR/|؝PĠ;BZSOs\'g:[ֽYKnuEI8J{ۥi]hk%T7Bɶ/^[aa6E]QZRKPD@BR) ŠiY^`(ytMLТ-iÍ}}Skm |TM.R?>2ai[[jISJR{5>k憭l0!/Ȁ2n(进,قrir68:)`CϵsҝzGztg@>:`әǟG(a!cS*}a5*4&0Sgm1LL=F˸:qmXbO@{)Cjе瓩;°{Z^v;Za6OZ-j+Ao{LrCm0 "}˞CO;b^-!/B~,%1Iԏ5@&^`Ge d*9m0ܡk]6bDugNPt>-D-g \jpb Zqq&~~~0,\y.Kg>f}`+|\qgI оGhʰeXh`ZzuG6$sD(Mܥh&\3atS3m4`Hڸ/|P"588zx|@*&DB\ --UŨN= =g7`qT=Ov@%ХCizi}~هF9C!߬%PP6霎0L M,G\մRb/X` s*? .=l)3PY[7`MSG_`p1\APB7!ll*j*r1=_?K] [L4@V1`O)n<0{L3wB>6 io4rd2z6PZMm"Z;"V ̼~jL-yTJJ\ӳ (Jq$ {2u9pdZ?lI3_靦MGnRzQ|Z%W:ju[|$cPQ]|UMBR%%!~!Fqi-EBSk8Okps!p B0_ \PF.^ʵhDmR.)+na/ ~ewm> Q?F)7 ug͋5-I'4g_ su_v^sODмpڋ~ϥ%<jUj_~':.yCM q߲oSRH3 J@#$=ĸ9}/gvl/>HWmu #8.dhXuՇQsŏEKJ:\[Oj܉g, Y# BW ͦ5fpR`QqH15{0L5)/suܺĂ Ӝ$"j?N3$ne8X;Z_aݪ,$"0! I+U:9>  cJ=!Vo8nw/Ϛ_#i9LB `E/ԩ #~DrIGzRFijQɉπ/`Ic1:(:0[L㷜oWȘI;D_q-5'=?U[k'?!'68]h1HEa]"Ts (z-ӤND)fTDxi'y0:{8쀒N1ӻ7lOܢM]nց9X)ŔL irdAgJȄfye5)a5R!MLCYOC/%$f;kB:zs goӚmfygj?l6V"#&@v\&0Ӑ qk5BE HY)o8-yB>@lb%%hҫoeW!؉lj9l0ta^}rWkb~]ȩZU$}ݙ8V0i;FHS `'# eީӊNf|uѺB ~ݾC5eNx?IАZ#=p>~愜0n3|{mv6bOf0>ovV8}'i?vݷ;޽s¾"CWqk:i)@Nd$$$yUZ/"2gNIJn':L9zd< ,fux3D?,yi91>gnP;-z4ݷ=Y.=]bwQxIݣ뻻PŞwYiIU9.r\-"nGx{qI9.tu?,r`\TzH^8؈ڽ]sg[D:*pG#LuOyc Z~‡i4&K-x<79wB#AVާA3n` \`5 gX/=נ> 51*%(:a5RTXVnc9yT =::Ciҵp",!=`'K.+R $.CN%?>9+Qx9 ;.6шYp쿓8粈Jx,O`!K:Qmd'1p aȬȂ2 ZA>u爛Bl]d5=9ext:S6|p4vYDvԎBmE)Njh'YP1~dưB7>eo`K<[h"R$U%.:xqY{?A$r (qn$\,jq&s͙08_V ӴLm m\M8E+?\Xz7%aC'ـ o~Ԉʌ \E&]+%U+'jQ~4,6o[fuOm:}a#"#USPwOw57bo9%c#(7}fH+wi*F5d])Y ޡM|-\jOAQOJ=XKg6ba$KT!O ~.蝿Ob MB$MI BEd"Ǒb(MdW?OI oE]x{JZmd^Uj/H#diƞ;ҥ=Cq nIZZU6"Ͱ40aH 4r[>e"}$vOrU6% keϖ&7]GH! U+F$ʁ(DZ%Nx@_+UneJ GTڞV|vzx,%e2^(>;P,R1I[11x"D"EσIOCLI_RO"r0.[(k+zlK|RD/ӢU*5E[ #f rD4AD&KK,cxdŗ+s,"Pv'V; IZM)YK*9nh؅5/t㠱uוg5XuS`\b%RݱOA4dfAPxyHuH ضV$UTבK&)4ͯM3.!qw7w7w7w7˺%UT!sUޯ׉}ɨ&X|y6m+/y@dA-P,̗tPUat5c7JTB ӕ]%Ip;x',Kxf>u%d t|5 bC|~-/^#') z0w&WJTYUZ]CQ+6z )^gl!Ơv!rȒ#v^ m"|6g~NM%nO*VI9A']mJV[C(YJB,Eu;# kїύ?KU7$ҳ BMU0إ:޿EW: ܥkEGuq!qc ,{x'0$o-] L=Cg!핟zǴE!24f`HWnJt0ޭ JM[g磸G5ch h 6cm9,hOLI7$ʳ>qKDyHߌ;ݹ1kUOE{U#KP=áo>Ưs[=Y&=\Q<˕߰bY B =\(Q 6BX77{4MowQ-I箏!NC{ɪt[Ԧ!|=$v0^D8$ ی >B!{cG o$g~p$ZA~!֔jrLPRf5|[ S~H}xu=VDWer:VQN`I~x^N;vDwR.?+W8G'-]6%Ccoh&&[>S=W7!4SXubM:$tF87?w`*,ℱfneOd%3_IuI4T[ "CLKOuztowwv]gpsZ3G$>c5?}rg闶QơG}3;pOߦ}-Gbd@.h ]L>}E-D7di㧳^jT608;7~=eO)So\kE_A-δhgaN0JLIx3!;Ppl R/Nջ'8. 2â= LA6XNl -MQӬf0uۿT}d+1V^Msg2VRXUǏ;4'k2u@ww«kOAp.AƵ!PS8]^q'H|$=F<춙wD̃Q#=ۆ7%Upyl?mLGX(&-V~%8=U -sqCvEM rNGʫG30kq'g."j\Dl빒0msWF%5{H JH 4~AX^q7U1"#[6CuX]&D 0R0؆_fV&gdB8AXJrXD PaCy"K&5\qҼRKCHm.95͂E o tMs95U(5u5b?=G/ttAj-biA.c2·[S1a Ǒ*B ǯ2A5\U BI? g>)fF<{i ?l_zZ3n>{i [j_ں⵴qwzRKovgO%ձH(lݹY冏5ڒVo4Jz (ӘFLA99ݱ=X rt jg~R߈uXy0W0r-h#jO5w65h9Mfikxg8 4xc=QxcDU<11t#P̲jNT]֏pY_E_t[6˵gSL@Ft5aT0|LC}h+{VzK"?{|5 Qh:pXHu oKa<${4m!ԓGĥ)׀!BT"Ba=X@*>IoH ]FV0\GzhE{ZW]C376f7gW Ka:=H!!t8 ]Q L\ CwD Os.c삶yu/ـ tS |9[CG)WTbʑ&İƨ?^]tR\E1 h0*pgj9fU KuL 2@: xE ?=W.nrj'[0'lx Db9ϻۈ) 0鈿a9=c1;Y{0mǀK0!/H`U]N"@ ' !݄J zIu~Kf60`6u}``EP00aLn?'Ӄ~7]_u:`4Pn 0Y:ovN+' @=PgA~2\b@Ԕ0(VIB qXR~DB(s k$ 3ֆú~: _F`3W VjE)OBӾR:C KDU8F|.ONlY,e/c/\iBR. ?$-G쌆=dRuǃ2rucѼv3ʿ@g,9@1?0, ~3s?9y}}g'E/>CS(?(#3a~/2".`.2d!: _:2>.eF+ 2+ק 埳a|39P~U{AuF@ugK\8=Rfr z)A^dկ?e$@yJɠ2,c/3\.2Kܿw2~62A/:u CFWz^Syښ薽pۭ]nX_KG{1Pi +{ʭO2 r hxVydb byeÿVPw;]SҤ]j. {%])r-XѧZ}5_9p=U26C{"djcZ7'%YØܻ Gz‰nQ2 oL2f~4ĎlOAprm>v#y`x&@_?&7S.pqk;ُϋGkwʗq@Afп~%kS$M^xylߣx߅ߊD,]z e%HI0σOor܌3:Xw[Gڽ/ii]]4-ЙMA]e[i"B8C0dp= Svڢ{!+ 7\` ď;#}ö0Nr@*5VZ*;" #G1Q5YUdJ.'jeV*V&zg l]{J̾ZCO3CX)ḃ}̺l5@ PcztdˎYUiYmBfP6սD<'u~m

7rO1 hJ/.ӡx}KQ,Vk k`V{ep-#2O,5U,%OBP'GEErlyOȼ!>0BkNM^G`yCO*80~.6%hŤeB6`s{7.Čk즬 $LƮv+:|6%^m D#[#쎥C͘Pi"r]6M b ه%OYs @;Lx wƇ ?[>KGJLƎ$z c߀9/ C{1L9ꃧrSY`_GBb #+*3Up& ɰ\T`'=ס a?w%X9VF  /McA۾$]מ X?8 >%Ͷ U^{3D3$ưz< RĠ)de h ki8`5o2s&zU Th4OSϫ1E![I% 9vc{[/I)H0\dz\g;mv 3R,`+/2^;' 'Wbz`#Yұ ߚP DQ[ |QCڼAߎKi[zQؗE@1agRW,;F>HY_ׁ.M%+#R.ܐOF{/)0XPy74<p2I nyxUOncC>XXe-s0ŬBSh=)O?7G[n\k<>ciESL/c<zAn0$ /-iΦJ:Ɛ9-)0p,\ftG6A|eKx7>zQ[tERb0%yMvSFc ?dtE#bSp!@>PM'2R8WD Q)۱YBAł?Vg;ENa pCQ!*m66s/>^|ۺ+AѮx'nGaJt{]Kl !{|J^Q.u 7tleb @J\] .m73Tt! %K@445-E6mЍ5O!ngNbk^Wfb@xVO=d_qxN|L/ة9uVOR6Ȥ{ ePCik5VI;;a0&iE-㨤t`C v_ʉ~ph[?҈Y>A wVǰYF!Ƨ7'TS*4.>ϭn/]2xDh^"@xplwn^^٠C"|fnAXjPwc-)œM萻kÔ{y0ѕDM1F(&,1S,@< փP&=`#hxl <nh1 d'kIG )}ɦbnԌaBcv L$g8% S^೐|,/A,LTT/D4;N7_yfϸȅc\YGw7X]嬵t1NʓEO:iϾJ=}v4<~v趿 a% ѨT\_N{+:g, lݸ᥇ͣ:.EyiNђt[i B"E{y|ܾ|/uM+_0dFp-<#@5̺J"4&o)FҢpL\岞Ԕbѥ;7 P%On6%s\ɜKBS+$Z/iDNƇ̎c>tgLt )2)v}ml-c6C-;H]F+