IE bug behind Adobe security warning

Bug in Internet Explorer 7 at root of security problems relating to Adobe's Acrobat products.

Microsoft's admission that there is a security gap in the way Internet Explorer (IE) 7 handles calls from third-party applications means network managers need to be extra cautious over the coming weeks while a patch is developed.

The flaw means an outsider can get remote access to a user's desktop without any user interaction, and was originally flagged back in July when it was discovered that an incorrect URI (uniform resource identifier) could be invoked after a malware-ordered launch of the Firefox browser via IE.

The potential problem would affect Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed, Microsoft has now acknowledged.

The problem is linked to Adobe's announcement earlier this week that it was issuing a patch for its Acrobat products after the discovery of a security problem. A system is vulnerable when IE 7 is installed and used with Adobe Acrobat Reader/Acrobat version 8.1 and prior, especially when opening PDFs from the web.

The following widely installed programs are also possible attack vectors: Firefox version 2.0.0.5; Netscape Navigator version 9.0b2; mIRC version 6.3; Outlook Express 6, e.g. when following specially crafted links in vCards, and ditto for Outlook 2000. However, this may not be an exhaustive list as other versions of these applications as well as other software could be affected.

Microsoft had been insistent that the problem lay with other suppliers who, it argued, bore the responsibility for screening code. The company has been criticised since the problem was first detected by researchers for not taking more active steps. Microsoft has reversed course and promised to close the loophole but says it disagrees that it should have acted sooner.

"When we make a mistake we have no problem in admitting it, but we don't think we did in this case," Mark Miller, director of security response communications for Microsoft, told IT PRO.

"But we have issued this advisory as we do whenever there is a danger of a potential attack and to clear up any confusion."

Microsoft said it is not aware of attacks that try to use the reported vulnerability or of customer impact, but that until it issues a patch users should be cautious about opening emails or attachments from unfamiliar users and that network managers should make sure their anti-viral software is fully up to date.

Miller claims the vulnerability does not affect Windows Vista "or any supported editions of Windows where Internet Explorer 7 is not installed," and that any problems can only arise under a certain set of circumstances.

"In order for this attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application". For example, a user would have to click on a link in an email message, which could allow arbitrary code to be run in the context for such a logged on user.

Microsoft finally said it is working on a patch as well as issuing a specific advisory and recommends monitoring of its security centre blog.

"This is a crucial flaw for which Microsoft originally tried to lay blame on others, suggesting they needed to sanitise input to the URIs," said Pete Simpson, ThreatLab manager at email monitoring specialist Clearswift.

"Now it has accepted it is its responsibility and that should be welcomed."

But Simpson cautions that now the exploit is so public it is a "race between the good guys and the bad guys" - as in, hackers may try and use the gap until a patch goes online.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/policy-legislation/data-protection/354814/google-to-shift-uk-user-data-to-the-us-post-brexit
data protection

Google to shift UK user data to the US post-Brexit

20 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020