IE bug behind Adobe security warning

Bug in Internet Explorer 7 at root of security problems relating to Adobe's Acrobat products.

Microsoft's admission that there is a security gap in the way Internet Explorer (IE) 7 handles calls from third-party applications means network managers need to be extra cautious over the coming weeks while a patch is developed.

The flaw means an outsider can get remote access to a user's desktop without any user interaction, and was originally flagged back in July when it was discovered that an incorrect URI (uniform resource identifier) could be invoked after a malware-ordered launch of the Firefox browser via IE.

The potential problem would affect Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed, Microsoft has now acknowledged.

The problem is linked to Adobe's announcement earlier this week that it was issuing a patch for its Acrobat products after the discovery of a security problem. A system is vulnerable when IE 7 is installed and used with Adobe Acrobat Reader/Acrobat version 8.1 and prior, especially when opening PDFs from the web.

The following widely installed programs are also possible attack vectors: Firefox version 2.0.0.5; Netscape Navigator version 9.0b2; mIRC version 6.3; Outlook Express 6, e.g. when following specially crafted links in vCards, and ditto for Outlook 2000. However, this may not be an exhaustive list as other versions of these applications as well as other software could be affected.

Microsoft had been insistent that the problem lay with other suppliers who, it argued, bore the responsibility for screening code. The company has been criticised since the problem was first detected by researchers for not taking more active steps. Microsoft has reversed course and promised to close the loophole but says it disagrees that it should have acted sooner.

"When we make a mistake we have no problem in admitting it, but we don't think we did in this case," Mark Miller, director of security response communications for Microsoft, told IT PRO.

"But we have issued this advisory as we do whenever there is a danger of a potential attack and to clear up any confusion."

Microsoft said it is not aware of attacks that try to use the reported vulnerability or of customer impact, but that until it issues a patch users should be cautious about opening emails or attachments from unfamiliar users and that network managers should make sure their anti-viral software is fully up to date.

Miller claims the vulnerability does not affect Windows Vista "or any supported editions of Windows where Internet Explorer 7 is not installed," and that any problems can only arise under a certain set of circumstances.

"In order for this attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application". For example, a user would have to click on a link in an email message, which could allow arbitrary code to be run in the context for such a logged on user.

Microsoft finally said it is working on a patch as well as issuing a specific advisory and recommends monitoring of its security centre blog.

"This is a crucial flaw for which Microsoft originally tried to lay blame on others, suggesting they needed to sanitise input to the URIs," said Pete Simpson, ThreatLab manager at email monitoring specialist Clearswift.

"Now it has accepted it is its responsibility and that should be welcomed."

But Simpson cautions that now the exploit is so public it is a "race between the good guys and the bad guys" - as in, hackers may try and use the gap until a patch goes online.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020