When I was a kid growing up in Montana, which even today still has miles and miles of seemingly endless roads, a common summer question to my parents from both my brother and me was "Are we there yet?" This summer, I want to ask Microsoft something similar. Is it patched yet?
Despite Mozilla's admission last week that Firefox 2.x contains the same uniform resource identifier (URI) bug that plagues Internet Explorer and is hurrying to fix the problem, the Department of Homeland Security's US-CERT organization says that still doesn't fix IE's underlying flaw.
Noted by BetaNews.com today, the problems arise from a change made in IE7:
"After IE7 is installed on a system, or when a new operating system is installed with IE7 present, the ShellExecute() API function is handled differently. This is the call (or one of the calls) that a Windows application would place when it wishes to launch another application.When a Web browser receives a URI that contains a resource identifier that obviously isn't http://, it searches the Registry for the external application associated with that identifier. It then launches the application that the Registry reports back, and passes it parameters supplied from inside the URI.
Intentionally malforming the URI is what opens up a browser to the execution of unchecked, remote binary code."
This is what I was trying to emphasize at the end of my post last week on this topic:
"My guess is that you should expect to see more cross-browser security bugs/issues crop up. After all, IE doesn't just pass URIs to Firefox."
US-CERT, which is short for the U.S. Computer Emergency Readiness Team, puts it pretty succinctly:
"We are currently unaware of a practical solution to this problem."
Thus far, there have not been any known active exploits of this hole "in the wild," but there is proof-of-concept code out on the Web. So a zero-day exploit could easily be just around the next curve.
Our summertime question to Microsoft remains: Is it patched yet?
