Patch (unofficial) for URI handling vulnerability

There has been some concern recently about a vulnerability with the way URIs are handled on Windows XP and Server 2003. The vulnerability only exists if Internet Explorer 7 is installed, because of a change that was made in the way that IE interacts with the Windows Shell.

The problem enables attackers to construct potentially malicious URIs for use in mailto: or other URI handlers (e.g. http, news, nntp) in order to execute arbitrary programs [see CVE-2007-3896]. The nature of the vulnerability means that several applications can be used as attack vectors including specific versions of IE7, Firefox, mIRC, Acrobat Reader and Outlook/Outlook Express [1]. Microsoft published a knowledge base article describing the issue last week [2].

This week, an unofficial patch has been posted by KJK::Hyperion [3]. Of course, the patch is unofficial and has undergone limited QA testing, making it unsuitable for deployment in live or corporate environments. To quote the developer:

... prevents the execution of malformed URLs and enforces normalization of valid URLs. Programs registering custom URL schemes might not like, support or even know about normalized URLs: this patch will interfere with any such program to the point of unusability

The patch resolves the vulnerability by hooking the vulnerable ShellExecute() function and preventing the execution of malformed URIs. A posting to the Microsoft Security Response Center blog last week [4] suggests that Microsoft intend to harden URI handling within ShellExecute(), so an official patch will most likely become available soon.

This is not the first time we have seen an unofficial patch hit the streets first. At the beginning of last year an unofficial patch [5] to the WMF exploit [6] was released. The problem is that such patches can rarely be deployed to live environments for fears of breaking critical applications.