IE bug behind Adobe security warning

Microsoft's admission that there is a security gap in the way Internet Explorer (IE) 7 handles calls from third-party applications means network managers need to be extra cautious over the coming weeks while a patch is developed.

The flaw means an outsider can get remote access to a user's desktop without any user interaction, and was originally flagged back in July when it was discovered that an incorrect URI (uniform resource identifier) could be invoked after a malware-ordered launch of the Firefox browser via IE.

The potential problem would affect Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed, Microsoft has now acknowledged.

The problem is linked to Adobe's announcement earlier this week that it was issuing a patch for its Acrobat products after the discovery of a security problem. A system is vulnerable when IE 7 is installed and used with Adobe Acrobat Reader/Acrobat version 8.1 and prior, especially when opening PDFs from the web.

The following widely installed programs are also possible attack vectors: Firefox version 2.0.0.5; Netscape Navigator version 9.0b2; mIRC version 6.3; Outlook Express 6, e.g. when following specially crafted links in vCards, and ditto for Outlook 2000. However, this may not be an exhaustive list as other versions of these applications as well as other software could be affected.

Microsoft had been insistent that the problem lay with other suppliers who, it argued, bore the responsibility for screening code. The company has been criticised since the problem was first detected by researchers for not taking more active steps. Microsoft has reversed course and promised to close the loophole but says it disagrees that it should have acted sooner.

"When we make a mistake we have no problem in admitting it, but we don't think we did in this case," Mark Miller, director of security response communications for Microsoft, told IT PRO.

"But we have issued this advisory as we do whenever there is a danger of a potential attack and to clear up any confusion."

Microsoft said it is not aware of attacks that try to use the reported vulnerability or of customer impact, but that until it issues a patch users should be cautious about opening emails or attachments from unfamiliar users and that network managers should make sure their anti-viral software is fully up to date.

Miller claims the vulnerability does not affect Windows Vista "or any supported editions of Windows where Internet Explorer 7 is not installed," and that any problems can only arise under a certain set of circumstances.

"In order for this attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application". For example, a user would have to click on a link in an email message, which could allow arbitrary code to be run in the context for such a logged on user.

Microsoft finally said it is working on a patch as well as issuing a specific advisory and recommends monitoring of its security centre blog.

"This is a crucial flaw for which Microsoft originally tried to lay blame on others, suggesting they needed to sanitise input to the URIs," said Pete Simpson, ThreatLab manager at email monitoring specialist Clearswift.

"Now it has accepted it is its responsibility and that should be welcomed."

But Simpson cautions that now the exploit is so public it is a "race between the good guys and the bad guys" - as in, hackers may try and use the gap until a patch goes online.