IE FIX 4 ? or 5 ? or 6? have lost count Vista Security Discuss IE FIX 4 ? or 5 ? or 6? have lost count in the Windows Vista forums; Microsoft changes tune, may patch IE7 bug Wednesday, October 10, 2007, Although Microsoft Corp. fixed four flaws in Internet Explorer (IE) yesterday, it did not address a protocol-handling problem ...

[Snuffy]

Microsoft changes tune, may patch IE7 bug
Wednesday, October 10, 2007,
Although Microsoft Corp. fixed four flaws in Internet Explorer (IE) yesterday, it did not address a protocol-handling problem that could trick users into downloading malware, a move that surprised at least one security researcher. The company, however, said it has reopened its investigation and may provide a patch in the future.

"I was prepared to talk about a patch yesterday," said Andrew Storms, director of security operations at nCircle Network Security Inc. "I expected to see Microsoft retract its prior stance and fix this."

Storms was referring to the position that Microsoft first staked out in July -- that Windows and IE are not to blame for the protocol-handling vulnerabilities cited by multiple researchers. This week, the blame game returned when Juergen Schmidt, a researcher at Heiese Security, said IE7 passed invalid Uniform Resource Identifiers (URI) to Windows XP, a bug that attackers could exploit to launch malicious code or scripts if users simply clicked on a link.

View Full Article: Computerworld
http://www.computerworld.com/action/...rce=rss_news10

[Snuffy]

Microsoft changes mind, agrees to fix IE's URI handler
Yesterday, October 11, 2007, | jeremy@arstechnica.com (Jeremy Reimer)
Microsoft has stated that they will be releasing a patch to fix some, but not all, potential security flaws resulting from third-party applications being fed maliciously malformed URI requests.

A strange cross-browser vulnerability arose earlier this year that affected Firefox users, but only if Firefox was called from Internet Explorer. This bizarre bug involved URIs in Internet Explorer that could invoke third-party applications such as Firefox and then get them to execute arbitrary code. Microsoft claimed that the responsibility was solely that of the third-party developers, whereas others put the blame on Internet Explorer itself. Mozilla released a patch for Firefox that fixed the bug, and in the inimitable style of Internet arguing, this has convinced some people that Microsoft was right all along and others that Microsoft was wrong the whole time. Now, to confuse the matter still further, Microsoft employee Jonathan Ness has posted a note on his Internet Explorer blog explaining that Microsoft is preparing to release a patch for Internet Explorer 7 that will mitigate some, but not all, of these URI issues.

Related StoriesMicrosoft: IE7 vulnerability reports are inaccurate
Microsoft acknowledges XMLHTTP vulnerability
The Uniform Resource Identifier (URI) is a superset of the URL that identifies resources and instructs the browser on how to act on that resource. Maliciously-formed URIs can exploit bugs in the applications that they call in order to execute arbitrary code. Simply taking out all URI functionality in order to prevent any bugs of this kind is not really possible: Ness writes that "While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the third party applications intended those protocol handlers to function." There are many useful functions that result from one application calling another, and removing this ability completely is not a good solution for most people.
<|>
Source:
http://arstechnica.com/news.ars/post...i-handler.html

Quote:

Originally Posted by Snuffy

Seems to me the 3d partys should fix there own stuff...That is what Vista was suppose to do... you want to use junk (3d party software) which is poorly written it should be my fault not MS(s).

Quote:

Windows Vista users running IE 7 are unaffected, and Ness states that people still running IE6 are not affected either.