Security Flaw Doesn't Discriminate
Although the URI vulnerability has been known for some time, it wasn't until last week that Microsoft announced it would patch the problem found in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. The problem can be traced to the discovery of URI vulnerabilities in Apple QuickTime running in Mozilla Firefox, according to Andrew Storms, senior security adviser for nCircle Security.
Linux and Apple OS X users are usually insulated from the security woes of their Microsoft Windows counterparts, but that doesn't seem to be the case with a recent vulnerability involving the handling of Uniform Resource Identifier (URI) protocols.
Those protocols instruct a browser to perform certain tasks. The most common task would be "http" to retrieve a Web page. Another task would be to run an application within a browser, applications like Adobe Acrobat Reader or the Apple QuickTime media player.
Although the URI vulnerability has been known for some time, it wasn't until last week that Microsoft announced it would patch the problem found in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.
The problem can be traced to the discovery of URI vulnerabilities in Apple QuickTime running in Mozilla Firefox, according to Andrew Storms, senior security adviser for nCircle Security in San Francisco.
"Microsoft and Firefox went back and forth doing the blame game, pointing fingers," he told LinuxInsider. "Firefox ended up deciding to roll a patch out themselves."
Microsoft, on the other hand, has gone from refusing to address the problem to addressing it on the operating side of things, he maintained.
Other Systems At Risk
Windows isn't the only operating system that can be compromised through the URI flaw, he maintained. Other systems like Linux and OS X could be affected too.
"The same issue applies where you have applications registering protocol handlers with the browsers so it's very conceivable you're going to have similar types of attacks available for different operating systems," he opined.
Security giant Symantec is not currently aware of any ongoing attacks of this type, said Ben Greenbaum, a senior researcher at Symantec Security Response in Santa Monica, Calif.
However, he told LinuxInsider, "it is certainly possible for an attacker to use a malformed URI in order to exploit a vulnerable handler on any operating system."
Off Hacker Radar?
While the URI problem has security experts concerned, it appears not to have been exploited by cyber-crooks yet.
"I'm not familiar with anybody using this today to install Trojans or rootkits or things like that," Storms said.
When researchers demonstrated how URIs could be exploited by hackers to gain control of a computer, they used the flaw to launch the Windows calculator, he noted.
"That task is harmless in itself, but it proves a point," he said. "If I can launch your calculator, I can launch any other application."
Vista Above Fray
In a security advisory on the URI issue released Oct. 10, Microsoft noted, "This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed."
Storms explained that there are inherent protection mechanisms in Vista that address URI-type problems.
"It has more active malware detections in it," he added.
Vista still may be cause for concern, however, Greenbaum said.
"Any time where you have code acting as an intermediary for potential hostile data on its way from source to recipient application you will have the opportunity for similar issues," he argued.
Impact Beyond Patches
The URI discussion could have far reaching consequences for the security community, Greenbaum postulated.
"Web 2.0 often involves content, and in some cases code, being both composed by groups of strangers and then shared across broad communities," he explained. "How should responsibility be assigned?" Greenbaum questioned.
"This discussion has raised awareness about how to accept responsibility and how to handle external inputs securely," he continued. "This dialogue may be more important to future security practices than simply releasing another patch."