Network News

X My Profile
View More Activity

Microsoft Changes Tune on IE7 Vulnerability

Reversing its initial assessment, Microsoft on Wednesday acknowledged that it needs to fix a vulnerability in its Internet Explorer 7 Web browser that could allow malicious Web sites to install unwanted software on Windows XP and Windows Server 2003 machines.

Evidence of the flaw first surfaced in June, and not long after Firefox browser maker Mozilla shipped a security update to fix a problem wherein a nasty Web site could use the mere existence of IE7 on a Windows machine to force Firefox to launch pretty much any application already installed on Windows, simply by convincing the user to click on a specially crafted link.

Mozilla said its update prevented the Windows flaw from using Firefox as the vehicle for hacking a vulnerable system, but that the nature of the vulnerability meant that attackers could force pretty much any other Windows software application to open up a virtual backdoor on PCs and let bad guys install malicious software of their choosing.

Microsoft maintained for months that this was not the result of a Windows design flaw. Throughout, Microsoft's stance was that it had "thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

Fast-forward to Wednesday, when the company issued a security bulletin essentially acknowledging that Mozilla's initial prognosis was correct, at least for "supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed." Interestingly, Microsoft says this vulnerability does not affect IE7 on Windows Vista, IE6 or earlier versions on Windows XP.

Microsoft concedes that attackers could exploit this flaw merely by convincing a Windows user to click on a link in an e-mail. The company says it is not aware of any malicious Web sites actively exploiting this vulnerability and that it is crafting a security update to plug this security hole.

But the sticky party here is that instructions showing criminals precisely how to exploit this flaw to break into Windows computers was posted online some time ago. Indeed, security provider Symantec warns that "with the ease of exploitation, the availability of public proof-of-concept code, and further attention that this vulnerability is receiving, it is likely this issue will begin to see more exploitation in the wild."

Not sure what "Eureka!" moment caused Microsoft to change its tune on this, but here's hoping they ship a fix before cyber crooks start exploiting the flaw for financial gain.

In other Windows vulnerability news, Symantec says it has seen evidence that cyber crooks are now exploiting a flaw in certain Microsoft Office file formats that could be used to compromise Windows PCs. While Microsoft on Tuesday shipped a software patch to fix this particular vulnerability, it is likely to remain unfixed on millions of Windows PCs for some time. That's because the group most at risk from this flaw are Office 2000 users. While Microsoft makes most security updates available through its Microsoft Update site, Office 2000 users must make a separate trip over to the Office Update site to download fixes. In a further complication, the default installation process for Office 2000 patches requires the user to have the original Office installation discs handy.

By Brian Krebs  |  October 11, 2007; 10:43 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs Nine Security Holes
Next: Taking on the Russian Business Network


Brian, should that last sentence reference "Office 2000" instead of Windows 2000?

Posted by: Tim | October 11, 2007 11:22 AM | Report abuse

@Tim -- whoops. right you are. fixed. thanks!

Posted by: Bk | October 11, 2007 11:39 AM | Report abuse

I use two PCs on a Pc uses XP-Home ED.(SP2)..the other is a Pc I built(intel)and uses XP-Pro(SP2)..I've been attempting Video Movies for some 5+ years now..I have just about everything a Amatuer Photographer could want/I've created some 100+ DVD-movies..I'm basically the family photographer--but really like to experiment..along the way I decided to use two PCs/1-PC(uses)Celeron D and the 2nd uses Pentium 4/I have managed much better having a PROJECT PC and a solitary Internet PC..McAFEE protects my Internet Projects--and--Microsoft Windows Firewall protects the Project PC for Video Production..this has run nearly flawless(except)that Video Production tends to run the PC(into the ground)OS/re-installs are the CLUTCH-operation/software reinstalls are necessary..but my Video Files are quite good for the amount of money I actually spend..I have read about alot of PCs that have problems..and have never heard the word(PC ADMINISTRATOR)used..also the use of PCs as Video Arcades seems to have forced a FALSE impression of PCs into VIEW..basically I have found that being a PC ADMINISTRATOR is the success level of going long range on PC-technology-and GOALS..Parts List,,LOGS,,Reciepts,,understanding the aspect of a consumers market in the PC-world..many things are NULL-on development..BASIC may be an out-dated term for Funtionality and Hardware/but ORIGINAL CONFIGURATION surfaces many times in my travels..I use it the sense that PCs are trouble-some..I would say that OFFICE Products are very difficult compared to Digital Media..and the newer PCs seem to attempt to collect the two into a SINGLE-system..this I have avoided by useing a KVM-switch.

Posted by: ct47DB | October 11, 2007 12:08 PM | Report abuse

I wonder if the "Eureka! moment" has anything to do with Secunia pointing out that Outlook is vulnerable to the same problem:

Posted by: Dan Veditz | October 11, 2007 1:00 PM | Report abuse

I remember this issue very well, we found out the our proprietary software vendor was using this vulnerability to view reports, etc. via their Java based application. After Firefox was patched, the view feature no longer worked and we had to either make significant changes to the registry to make it work or lock out updates to future versions of Firefox. We decided to lockout updates until we replace the application with something better.

Posted by: DOUGman | October 11, 2007 1:38 PM | Report abuse

No tune change here! We are still singing the same song. "nothing wrong over here, baby". If there is some kinda problem it's minor and you people are blowing it all out of proportion!

Posted by: steveballmer | October 11, 2007 4:37 PM | Report abuse

Hi Brian,

I can't thank you enough for how much you've kept me informed.

Although I use Firefox on my WindowsXP, I can't seem to update to IE7 properly. My computer freezes every time I install IE7. So I've removed the icon so no one else can access it easily. My concern is that when I want to do updates for Office, for example, it's the IE6 browser that opens, something I don't want. I do get automatic updates from MS, but don't know if they apply to Office or Excel. Any idea of how to update to IE7?


Posted by: Anonymous | October 12, 2007 12:58 PM | Report abuse

I was uploading lots of Vid Files to a website which eventually corrupted my OS and ISP..during the Re-Install of everything I completed everything and went to check on IE...well it was IE6...why did IE7 not install during Microsoft UPDATE....??...I went to CLICK the IE7 Link and it stalled w/2MBs left to INSTALL(I used the RUN-command)...IE7 is a 14.7MB Size File...well at an earlier time I did CLICK-the-SAVE-command and have a IE7 File on hand in LOADED and runs as usual(just great)....So..I would suggest you do a SAVE on the Download and then use RUN-later.

Posted by: ct47DB | October 13, 2007 10:19 AM | Report abuse

......Microsoft does suggest that XP-users use the RUN-command....
.......................I sometimes try both.

Posted by: ct47DB | October 13, 2007 10:22 AM | Report abuse

Hi Brian, your analysis is incorrect. It was the same one that I came to after initially reading the KB article. You should really read this blog post by the MSRC team:

Microsoft is patching a bug in ShellExecute() and NOT anything that relates to 3rd party protocols.

Read this snippet:
"With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed"

Basically, on non-vista boxes, ShellExecute() LAUNCHES the exploit.

Compare that to your firefox bug where IE passes data to FF, and FF has a bug where it screws up with certain characters (aka quotes) and FIREFOX launches the exploit.
See here for a picture that shows FF lanching the exploit from the earlier bug:

In short, this blog post is confusing two similar, but not related bugs. Microsoft is not reversing it's stance here.


Posted by: wng_z3r0- MVP security | October 14, 2007 8:32 PM | Report abuse

I linked the wrong blog post. The corresponding blog to read is:

Sorry for any confusion.

Posted by: wng_z3r0- MVP security | October 14, 2007 9:41 PM | Report abuse

Yep!, my computer is invaded with spyware using Office programs, Illustrator, and others... My private folders have been turned available to all users without consent, and I cannot change it...Being redirected to who knows where...Many of My Documents done on Word have changed to another format...Some of My Favorites simply disappear...Free Dr. Spyware, AntispywareBot do not delete and persistently pop-up and/or are used to track and print My Documents and computer activities. Under REMOVE PROGRAMS they appear indicating they do not exist. However, under SEARCH I do find files under their names on My Documents, Windows Updates, and others. I've even found Task file assigned to them on a daily basis. If I try deleting the several files under these "unexisting" programs, suddenly the rest change to a different format created with unidentified programs and computer or internet might go crazy...\

Please share some advice. I will also check tomorrow this wonderful-just-discovered blog to see if there is already any info that may be helpful.

Sorry to take so much space, but Im really desperate and exhausted.


Posted by: medin | October 16, 2007 12:02 AM | Report abuse

This is not really a vulnerability, we are just treating it as such to mak the unwashed masses feel better!

Posted by: Steve Ballmer | October 16, 2007 7:56 PM | Report abuse

While having no love for Mr Ballmer, I find the sock-puppet fake Ballmer posts distinctly offensive. Mr Krebs, I'm surprised you've allowed them to stand; I thought the policy was not to allow posting under false identities.

Posted by: aeschylus | October 17, 2007 12:39 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company