Microsoft has finally patched the critical URI-handling flaw that has been haunting Windows users since it was disclosed—and blamed on Firefox—in July.
As it turned out, Firefox was only one of a slew of attack vectors for this flaw, which has been circulating in the wild via maliciously rigged PDF files and other exploits since at least late October.
All supported versions of Microsoft Windows XP and Server 2003 with Internet Explorer 7 are prone to this critical vulnerability, which a remote attacker can exploit to hijack a system if he or she can trick a victim into following a malicious URI.
Known attack vectors include following URIs in these applications:
- Mozilla Firefox in versions prior to 18.104.22.168
- Skype in versions prior to 22.214.171.124
- Adobe Acrobat Reader 8.1
- Miranda 0.7
- Netscape 7.1
- mIRC chat client for Windows
On Oct. 10, Microsoft released Security Advisory 943521 about the vulnerability and public reports of remote code execution and said a patch was in the works.
The patch is finally here, coming in Microsoft security bulletin MS07-061—the only one to be marked critical out of two security updates released on the companys Nov. 13 Patch Tuesday.
The URI-handling issue occurs when applications pass URIs to the operating system to handle. According to an advisory sent to Symantecs Deep Sight subscribers, URIs containing percent-encoded characters, directory-traversal sequences, and double filename extensions can trigger the execution of applications.
“This issue stems from a flaw in Microsoft Windows when it tries to determine which application should be launched when interpreting protocol-handlers such as mailto:, http:, and others,” Symantec said in its advisory. “The issue is caused by a change in how interactions are handled between Internet Explorer and Windows Shell. Third-party applications that do not perform adequate input validation on URIs may serve as attack vectors for this vulnerability.”
Installing this update should be a priority, given how easy it is to exploit, experts are saying.
“With the ease of exploitation, the availability of public proof-of-concept code, and further attention that this vulnerability is receiving, we will likely begin to see more exploitation of this issue in the wild,” Symantec said back in October.
“This is one Id say get it installed ASAP because its being actively exploited,” said Shavlik Technologies CTO Eric Schultze.
The second security update to come on Patch Tuesday, MS07-062, is rated important. It addresses an important vulnerability in DNS that could allow spoofing in Windows Server 2003 and Windows Server 2000. It replaces an update put out earlier this year, MS07-029, addressing the vulnerability by increasing the randomness of DNS (Domain Name System) transaction IDs.
The DNS spoofing vulnerability is not being actively exploited.
One patch that was being looked for with eager eyes—a patch for a Macrovision flaw in a driver on Windows Server 2003 and Windows XP that was being exploited in the wild as of early November—was missing.
Schultze said that he expects to see an out-of-band patch coming later in the month for the Macrovision issue, given that its being actively exploited.
On top of security releases, Microsoft has also released three high-priority updates on Microsoft Update and WSUS (Windows Server Update Services).
The WSUS updates came just in time, given that without them, many users wouldnt be able to update on Patch Tuesday. The problem arose from Microsoft having modified content for WSUS and having in the process included a product name with double quotes around it. Microsoft then apparently failed to test the data after putting it in, given that a product with double quotes breaks the SQL Server databases process for WSUS.
Starting over the weekend, WSUS broke and was only fixed midmorning on the eve of Patch Tuesday.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.