Microsoft explains Windows URI patch strategy

Security team tries to clear up confusion over what it will patch and what it won't

Microsoft has clarified what it plans to patch to fix a bug in Windows XP and Server 2003, but said it had no plans to overhaul the operating system's protocol-handling technology.

Mark Miller, director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the MSRC's operations manager, acknowledged there was confusion around its decision to patch a vulnerability in Windows XP and Windows Server 2003 on systems running Internet Explorer 7.

"There are two separate issues," said Miller, referring to the Universal Resource Identifier (URI) bug in Windows that was the focus of a security advisory issued last week, and a larger problem that first surfaced in June but gained traction in July. "The issue [from] back in June is really related to protocol handling, and is really around how third-party applications handle them," Miller said.

Starting four months ago, researchers uncovered vulnerabilities in applications such as Apple's Safari for Windows and Mozilla's Firefox that were traced to Windows' protocol handling, the technology that lets browsers run other programs via commands in the URL. In July, criticism mounted as some researchers said Microsoft bore full responsibility for the flaws, which could be used to hijack PCs. Others, however, defended Windows, saying it was the applications' duty to "sanitize" -- to guarantee that the URIs didn't allow invalid input -- the URLs they passed to the operating system.

"The answer is yes and no," said Reavey, when asked whether Microsoft was responsible for patching. Protocol handlers registered by Windows are its responsibility, he said, and will be fixed when flaws are found, but plugging holes in handlers registered by third-party developers is not Microsoft's job.

The most common protocols, such as mailto:, which opens the default e-mail client and pre-addresses the To: field after a user clinks a mailto: link, are Microsoft's. But other developers register protocol handlers as well. Mozilla, for example, registers a protocol handler dubbed "firefoxurl:" that's used to open another instance of Firefox.

Microsoft's decision to patch bugs in protocol handlers registered by Windows is the logical move, said Ben Greenbaum, a senior manager with Symantec's security response team. "Their software is on both sides of the Windows XP-Internet Explorer 7 vulnerability," said Greenbaum, "so they should be looking at patching that issue."

"If the protocol is one that Windows handles, we understand it's up to us to patch it," said Reavey. "Mailto: wasn't the problem, it's a problem in how Windows handles protocols."

But when asked if his team would revisit Windows' processing of third-party protocol handlers, Miller made it clear that at the present, Microsoft had no intention of changing anything. "We have no plans," he said. Other developers must secure the protocols they register, he continued. "The IE team did a very good blog post on this back in July."

Microsoft has not set a timetable for delivering the announced Windows XP and Windows 2003 patch. Likewise, it has only described the fix in general terms, saying Thursday that it would "revise our URI handling code within ShellExecute to be more strict." Miller, who declined to get more specific about either the schedule or the details, said: "The update will be part of our normal product update process. It will be released as soon as we feel it's ready."

At least one researcher thinks Microsoft should do more than just patch its own problems. "Part of the larger issue here is that vendors lack a clear standard on what is and what is not approved to be stuffed into these extended URL areas," said Andrew Storms, the director of security operations at nCircle Network Security. By the time a code snippet makes its way to the final executing program, the program is so far removed from the browser, it has no idea what has been sanitized, what has been escaped or what kind of information has been approved to be in the permitted list of data."

More importantly, added Symantec's Greenbaum, is that the debates over protocol handling vulnerabilities and patch responsibility have major implications in a Web 2.0 world. "This gets to the heart of secure coding and secure data," he said. "It's early, but the decisions made on this class of vulnerabilities could determine the long-range security of the Internet."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?