Friday, October 26, 2007 6:48 AM
cmosby
SANS Internet Storm Center - URL Update to Internet Explorer URL Handling Vulnerability
Hmm, I wonder who that Chris guy is?? ;-) Seriously, though this is not good news. Microsoft asking vendors to fix future tools is one thing, but what about all the stuff that is already out there?? I can't see this problem going away very easily, specially since Microsoft has pretty much thrown down the gauntlet to hackers to exploit this. Firefox, on the other hand looks like to have taken care of this three versions ago
URL Update to Internet Explorer URL Handling Vulnerability
Published: 2007-10-26,
Last Updated: 2007-10-26 02:05:06 UTC
by Johannes Ullrich (Version: 1)
Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.
Microsoft does not appear to plan to fix the issue in Internet Explorer. Instead, it asks vendors releasing tools that pass URLs to Internet Explorer to validate them.
Thanks to Chris and Gilbert to alert us of the update! Let us know if you see an exploit in the wild, or if you encounter any 3rd party applications which are not protecting Internet Explorer.
Links:
www.microsoft.com/technet/security/advisory/943521.mspx
blogs.technet.com/msrc/archive/2007/10/25/ msrc-blog-october-25th-update-to-security-advisory-943521.aspx
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Filed under: Browser Wars, Internet Explorer, Internet Hacks, Security