SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#403150

Microsoft Windows URI protocol handling vulnerability

Overview

Microsoft Windows fails to properly handle protocols specified in a URI, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

I. Description

A Uniform Resource Identifier (URI) is a string of characters that can be used to identify a location, resource, or protocol. Microsoft Windows will parse a URI to determine the appropriate application that is registered to handle the protocol. More information about how Windows accomplishes this is available in Microsoft Knowledge Base article 224816. Several types of Windows applications, such as web browsers and email clients, may rely on Microsoft Windows to determine the proper application to handle a specified URI.

Internet Explorer 7 has changed how Microsoft Windows parses URIs. This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. This flaw appears to rely on having a "%" character in the URI.

Publicly available exploit code uses Mozilla Firefox as an attack vector for this vulnerability. For more information, including workarounds, please see VU#783400.

II. Impact

Microsoft Windows may incorrectly determine the appropriate application to handle a protocol. For example, a "safe" protocol such as mailto: may be incorrectly handled with an "unsafe" application, such as the Windows command interpreter. This can allow unexpected execution of arbitrary commands.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS07-061. This update provides a newer version of Shell32.dll, which performs additional validation of URIs.

Systems Affected

VendorStatusDate Updated
AdobeVulnerable11-Oct-2007
Microsoft CorporationVulnerable13-Nov-2007
MozillaVulnerable11-Oct-2007

References

http://www.kb.cert.org/vuls/id/783400
http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
http://www.microsoft.com/technet/security/advisory/943521.mspx
http://blogs.technet.com/msrc/archive/2007/10/25/msrc-blog-october-25th-update-to-security-advisory-943521.aspx
http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
http://xs-sniper.com/blog/remote-command-exec-firefox-2005/
http://www.adobe.com/support/security/advisories/apsa07-04.html
http://www.adobe.com/support/security/bulletins/apsb07-18.html
http://secunia.com/advisories/26201/
https://bugzilla.mozilla.org/show_bug.cgi?id=389580
http://support.microsoft.com/kb/224816
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
http://en.wikipedia.org/wiki/Uniform_Resource_Identifier

Credit

This vulnerability was publicly disclosed by Billy Rios.

This document was written by Will Dormann.

Other Information

Date Public07/25/2007
Date First Published07/27/2007 10:49:12 AM
Date Last Updated11/13/2007
CERT Advisory 
CVE NameCVE-2007-3896
US-CERT Technical Alerts 
Metric18.43
Document Revision25

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader