Microsoft explains Windows URI patch strategy

Computerworld - Microsoft Corp. yesterday clarified what it plans to patch to fix a bug in Windows XP and Server 2003, but said it had no plans to overhaul the operating system's protocol-handling technology.

Mark Miller, director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the MSRC's operations manager, acknowledged there was confusion around its decision to patch a vulnerability in Windows XP and Windows Server 2003 on systems running Internet Explorer 7.

"There are two separate issues," said Miller, referring to the Universal Resource Identifier (URI) bug in Windows that was the focus of a security advisory issued yesterday, and a larger problem that first surfaced in June but gained traction in July. "The issue [from] back in June is really related to protocol handling, and is really around how third-party applications handle them," Miller said.

Starting four months ago, researchers uncovered vulnerabilities in applications such as Apple Inc.'s Safari for Windows and Mozilla Corp.'s Firefox that were traced to Windows' protocol handling, the technology that lets browsers run other programs via commands in the URL. In July, criticism mounted as some researchers said Microsoft bore full responsibility for the flaws, which could be used to hijack PCs. Others, however, defended Windows, saying it was the applications' duty to "sanitize" -- to guarantee that the URIs didn't allow invalid input -- the URLs they passed to the operating system.

"The answer is yes and no," said Reavey, when asked whether Microsoft was responsible for patching. Protocol handlers registered by Windows are its responsibility, he said, and will be fixed when flaws are found, but plugging holes in handlers registered by third-party developers is not Microsoft's job.

The most common protocols, such as mailto:, which opens the default e-mail client and preaddresses the To: field after a user clinks a mailto: link, are Microsoft's. But other developers register protocol handlers as well. Mozilla, for example, registers a protocol handler dubbed "firefoxurl:" that's used to open another instance of Firefox.

Microsoft's decision to patch bugs in protocol handlers registered by Windows is the logical move, said Ben Greenbaum, a senior manager with Symantec Corp.'s security response team. "Their software is on both sides of the Windows XP-Internet Explorer 7 vulnerability," said Greenbaum, "so they should be looking at patching that issue."

"If the protocol is one that Windows handles, we understand it's up to us to patch it," said Reavey. "Mailto: wasn't the problem, it's a problem in how Windows handles protocols."

But when asked if his team would revisit Windows' processing of third-party protocol handlers, Miller made it clear that at the present, Microsoft had no intention of changing anything. "We have no plans," he said. Other developers must secure the protocols they register, he continued. "The IE team did a very good blog post on this back in July."