After basically stonewalling for the past three months, Microsoft late today announced it is indeed working on a patch for a severe security hole that turned up in Internet Explorer 7 last July.
I understand it's a complex problem. The first time it turned up, it was assumed to be a problem in how IE7 and Firefox, in conjunction, handle what are called uniform resource identifiers (URI).
You may recall that at the time Microsoft and the Mozilla Firefox folks had a bit of a tiff over whose problem it was.
Firefox was fixed in short order. However, until today, there basically wasn't a peep out of Microsoft.
Now Microsoft has released a Security Advisory – what the company publishes when they acknowledge a bug but don't have a patch yet – in order to warn users.
They do say they have a patch underway and will ship it as soon as they get it done and properly tested. At that point, they will publish a Security Bulletin, which includes links to the patch or patches. No word on how long that will be. But, hey, it's progress.
So who's affected by this bug? The problem has to do with changes Microsoft made between IE6 and IE7. Oddly, If you have IE7 running on Windows Vista, you're safe from this vulnerability. And if you're running IE6 or earlier versions on Windows XP, you're also safe.
However, if you're running Windows XP or Windows Server 2003 with IE7, you've got a problem.
Here's Microsoft's description of the issue, in typical Microsoft geek speak:
"Internet Explorer 7 updates a Windows component, which modifies the interaction between Internet Explorer and Windows Shell when handling URLs and URI’s. Applications which pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability."
Got that?
So in a nutshell, if you click on a malicious link, your PC could be completely compromised – but only if you're running IE7 on XP or Windows Server 2003.
Granted these documents aren't aimed at your average consumer – rather they are directed towards security professionals at big companies.
But Microsoft's consumer-oriented security documents on the same topics are usually so vapid as to be nearly worthless, in my opinion anyway. So it's a "Hobson's choice" of way too little information versus drinking out of the information fire hose. I'll opt for the latter.
Microsoft's recommendation of what to do while waiting for the patch: "Do not follow un-trusted links or browse un-trusted Web sites."
We've talked about this before … grrrrrrr. In a virtual world where 50-year-old unemployed slobs can easily masquerade as 30ish, athletic, unmarried stock brokers, how can you tell what links to trust? Luckily, there have been no known attacks in the wild so far.
And at least now there's a patch on the way. Lets keep our fingers crossed that Microsoft gets the patch out before somebody zero-days this hole. Stay tuned.
Source: PC WORLD
I understand it's a complex problem. The first time it turned up, it was assumed to be a problem in how IE7 and Firefox, in conjunction, handle what are called uniform resource identifiers (URI).
You may recall that at the time Microsoft and the Mozilla Firefox folks had a bit of a tiff over whose problem it was.
Firefox was fixed in short order. However, until today, there basically wasn't a peep out of Microsoft.
Now Microsoft has released a Security Advisory – what the company publishes when they acknowledge a bug but don't have a patch yet – in order to warn users.
They do say they have a patch underway and will ship it as soon as they get it done and properly tested. At that point, they will publish a Security Bulletin, which includes links to the patch or patches. No word on how long that will be. But, hey, it's progress.
So who's affected by this bug? The problem has to do with changes Microsoft made between IE6 and IE7. Oddly, If you have IE7 running on Windows Vista, you're safe from this vulnerability. And if you're running IE6 or earlier versions on Windows XP, you're also safe.
However, if you're running Windows XP or Windows Server 2003 with IE7, you've got a problem.
Here's Microsoft's description of the issue, in typical Microsoft geek speak:
"Internet Explorer 7 updates a Windows component, which modifies the interaction between Internet Explorer and Windows Shell when handling URLs and URI’s. Applications which pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability."
Got that?
So in a nutshell, if you click on a malicious link, your PC could be completely compromised – but only if you're running IE7 on XP or Windows Server 2003.
Granted these documents aren't aimed at your average consumer – rather they are directed towards security professionals at big companies.
But Microsoft's consumer-oriented security documents on the same topics are usually so vapid as to be nearly worthless, in my opinion anyway. So it's a "Hobson's choice" of way too little information versus drinking out of the information fire hose. I'll opt for the latter.
Microsoft's recommendation of what to do while waiting for the patch: "Do not follow un-trusted links or browse un-trusted Web sites."
We've talked about this before … grrrrrrr. In a virtual world where 50-year-old unemployed slobs can easily masquerade as 30ish, athletic, unmarried stock brokers, how can you tell what links to trust? Luckily, there have been no known attacks in the wild so far.
And at least now there's a patch on the way. Lets keep our fingers crossed that Microsoft gets the patch out before somebody zero-days this hole. Stay tuned.
Source: PC WORLD
internet explorer 7,
microsoft,
URI
6:27 AM
0 Responses to "Microsoft Will Patch IE7 'URI' Hole"
Post a Comment