Microsoft warns of dangerous Windows URI vulnerability

Microsoft issued an alert warning of an unpatched command execution vulnerability in Windows XP and Windows Server 2003 that could be exploited remotely to access a machine.

Microsoft late Wednesday issued a security advisory warning about a dangerous command execution vulnerability affecting users of Windows XP and Windows Server 2003 with the latest version of Internet Explorer installed.

Microsoft is continuing to track this issue through the Software Security Incident Response Process and working on a security update to resolve it.
Mark Miller,
director of security response communicationsMicrosoft

Mark Miller, director of security response communications for Microsoft said the software giant is investigating public reports of the remote code execution vulnerability. Miller said Microsoft is not aware of active attacks that try to use the reported vulnerability or of customer impact.

"Microsoft is continuing to track this issue through the Software Security Incident Response Process and working on a security update to resolve it," Miller said.

In its security advisory, Microsoft said a flaw in Windows XP and Server 2003 fails to properly validate URIs and URLs, allowing an attacker to execute arbitrary commands. If Internet Explorer 7 is installed malicious URIs may be passed through it via several third party applications like Adobe Acrobat Reader, mIRC, Mozilla Firefox, Skype or Miranda IM.

In order for an attack to be carried out, an attacker must embed a malicious URI in a Web page or email and trick the user to follow the link.

Preparing for uniform resource identifier (URI) exploits:

By Michael Cobb, Contributor

Most people using the Internet know what a Web address is, or at least use the term as a non-technical synonym for a URL or uniform resource locator: a string of characters used to identify a resource and a means of locating it.

A URL is, in fact, a subset of uniform resource identifiers, or URIs. URIs use a defined syntax to provide a simple and extensible means for recognizing and accessing an Internet resource. The identifiers can do so without regard to the application or platform used. The URI syntax is essentially a URI scheme name, such as 'http' (Hypertext Transfer Protocol), followed by a colon and then a scheme-specific part.

>>>>Read more Preparing for uniform resource identifier (URI) exploits

Additional information about the flaw can be found at the Microsoft Security Response Center blog. The response center team called the vulnerability extremely complex and said they have been studying the issue since it was first reported in July.

The vulnerability was first discovered in July by independent security researcher Billy Rios, who said on his blog that the vulnerability could be delivered through the Firefox browser.

As a result of the latest advisory, Cupertino, Calif.-based antivirus giant Symantec Corp. maintained its ThreatCon at Level 2. It was raised to Level 2 earlier in the week as a result of four updates released as part of Microsoft's monthly batch of patches to address critical vulnerabilities.

"Users are advised to be wary of any suspicious or unsolicited documents and are urged not to blindly follow any links received via email or instant messaging," Symantec said in its advisory.

Microsoft released its monthly security update on Tuesday, issuing four updates that address critical vulnerabilities attackers could exploit to run malicious code on targeted machines. IT administrators said attackers are most likely to go after the flaws outlined in Microsoft's MS07-057 bulletin, which fixes four different flaws, the most serious of which could allow remote code execution if a user views a specially crafted Web page using IE.

Senior News Writer Bill Brenner contributed to this report.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close