IE 7 bug reopens debate over patch responsibilities
Researchers argue over who to blame; Microsoft again denies there's a bug
Computerworld - Security researchers are again arguing over who is responsible -- Microsoft Corp. or third-party developers -- for protocol-handling bugs after a researcher on Friday said Internet Explorer 7 can be used to trick users into launching malware.
Posting to the Full Disclosure mailing list, Juergen Schmidt, a researcher at Heise Security, blamed IE 7 for passing invalid Uniform Resource Identifiers (URI) to Windows XP. Specifically, said Schmidt, IE 7 accepts URLs from other applications that include the "%" [percent] character, which can launch software or scripts on users' machines if they click on a malformed link.
According to Schmidt and others, the earlier IE 6 doesn't have the bug, indicating that something broke between versions. "Post-IE7 has a flaw/threat/vulnerability it hasn't had pre-IE7," said Thierry Zoller, a penetration tester at German security firm n.runs AG.
Windows' URI protocol handling, the technology that lets browsers run other programs via commands in the URL, has been criticized since July, when Norwegian researcher Thor Larholm demonstrated how IE and rival Firefox could be used to run malicious code. Even then, researchers feuded over responsibility. Mozilla Corp. patched Firefox several days later, but Microsoft declined to fix IE, saying that it didn't consider the issue a vulnerability in its software.
Schmidt identified several applications, including Adobe Systems Inc.'s Acrobat Reader, the Netscape browser and Miranda, an IM client, that he said improperly handle URIs with the percent symbol, and he hinted that there were plenty more.
His post drew reaction on Full Disclosure. "The applications are accepting arbitrary input and not validating correctly," said Roger Grimes, a security consultant who said he works at Microsoft. "How is that a Microsoft or Windows problem? How could Microsoft determine ahead of time what is and isn't [a] legitimate character to pass to applications they don't own?"
"How is that _not_ a Windows Problem?" replied Zoller. "It's not that they should decide what to pass or not to pass on, the problem in the example Juergen sent is [that] they pass internally, not to third-party applications."
"If the application is what exposes the URI-handling routine to untrusted code from the Internet, then it's the application's job to make sure that code is trusted before exposing system components to its commands, no?" asked another user who went by the name "Geo."
Microsoft denied responsibility for any vulnerability in July and repeated that to Schmidt after he asked if the company's security center would address the problem. "After its thorough investigation, Microsoft has revealed that this is not a vulnerability in a Microsoft product." The company was not available early Monday to confirm that its previous comment remains its official position.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts