Vulnerability Note VU#403150
Microsoft Windows URI protocol handling vulnerability
Overview
Microsoft Windows fails to properly handle protocols specified in a URI, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
Description
A Uniform Resource Identifier (URI) is a string of characters that can be used to identify a location, resource, or protocol. Microsoft Windows will parse a URI to determine the appropriate application that is registered to handle the protocol. More information about how Windows accomplishes this is available in Microsoft Knowledge Base article 224816. Several types of Windows applications, such as web browsers and email clients, may rely on Microsoft Windows to determine the proper application to handle a specified URI. Internet Explorer 7 has changed how Microsoft Windows parses URIs. This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. This flaw appears to rely on having a "%" character in the URI. |
Impact
Microsoft Windows may incorrectly determine the appropriate application to handle a protocol. For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands. |
Solution
Apply an update |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Adobe | Affected | - | 11 Oct 2007 |
| Microsoft Corporation | Affected | 26 Jul 2007 | 13 Nov 2007 |
| Mozilla | Affected | - | 11 Oct 2007 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.kb.cert.org/vuls/id/783400
- http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
- http://www.microsoft.com/technet/security/advisory/943521.mspx
- http://blogs.technet.com/msrc/archive/2007/10/25/msrc-blog-october-25th-update-to-security-advisory-943521.aspx
- http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
- http://xs-sniper.com/blog/remote-command-exec-firefox-2005/
- http://www.adobe.com/support/security/advisories/apsa07-04.html
- http://www.adobe.com/support/security/bulletins/apsb07-18.html
- http://secunia.com/advisories/26201/
- https://bugzilla.mozilla.org/show_bug.cgi?id=389580
- http://support.microsoft.com/kb/224816
- http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
- http://en.wikipedia.org/wiki/Uniform_Resource_Identifier
Credit
This vulnerability was publicly disclosed by Billy Rios.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2007-3896
- Date Public: 25 Jul 2007
- Date First Published: 27 Jul 2007
- Date Last Updated: 13 Nov 2007
- Severity Metric: 18.43
- Document Revision: 25
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.