IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IE bug behind Adobe security warning

Bug in Internet Explorer 7 at root of security problems relating to Adobe's Acrobat products.

Microsoft's admission that there is a security gap in the way Internet Explorer (IE) 7 handles calls from third-party applications means network managers need to be extra cautious over the coming weeks while a patch is developed.

The flaw means an outsider can get remote access to a user's desktop without any user interaction, and was originally flagged back in July when it was discovered that an incorrect URI (uniform resource identifier) could be invoked after a malware-ordered launch of the Firefox browser via IE.

The potential problem would affect Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed, Microsoft has now acknowledged.

The problem is linked to Adobe's announcement earlier this week that it was issuing a patch for its Acrobat products after the discovery of a security problem. A system is vulnerable when IE 7 is installed and used with Adobe Acrobat Reader/Acrobat version 8.1 and prior, especially when opening PDFs from the web.

The following widely installed programs are also possible attack vectors: Firefox version; Netscape Navigator version 9.0b2; mIRC version 6.3; Outlook Express 6, e.g. when following specially crafted links in vCards, and ditto for Outlook 2000. However, this may not be an exhaustive list as other versions of these applications as well as other software could be affected.

Microsoft had been insistent that the problem lay with other suppliers who, it argued, bore the responsibility for screening code. The company has been criticised since the problem was first detected by researchers for not taking more active steps. Microsoft has reversed course and promised to close the loophole but says it disagrees that it should have acted sooner.

"When we make a mistake we have no problem in admitting it, but we don't think we did in this case," Mark Miller, director of security response communications for Microsoft, told IT PRO.

"But we have issued this advisory as we do whenever there is a danger of a potential attack and to clear up any confusion."

Microsoft said it is not aware of attacks that try to use the reported vulnerability or of customer impact, but that until it issues a patch users should be cautious about opening emails or attachments from unfamiliar users and that network managers should make sure their anti-viral software is fully up to date.

Miller claims the vulnerability does not affect Windows Vista "or any supported editions of Windows where Internet Explorer 7 is not installed," and that any problems can only arise under a certain set of circumstances.

"In order for this attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application". For example, a user would have to click on a link in an email message, which could allow arbitrary code to be run in the context for such a logged on user.

Microsoft finally said it is working on a patch as well as issuing a specific advisory and recommends monitoring of its security centre blog.

"This is a crucial flaw for which Microsoft originally tried to lay blame on others, suggesting they needed to sanitise input to the URIs," said Pete Simpson, ThreatLab manager at email monitoring specialist Clearswift.

"Now it has accepted it is its responsibility and that should be welcomed."

But Simpson cautions that now the exploit is so public it is a "race between the good guys and the bad guys" - as in, hackers may try and use the gap until a patch goes online.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
Attracting and retaining talent through training

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022