microsoft changes mind, agrees to fix ie's uri handler

microsoft changes mind, agrees to fix ie's uri handler home business apple gaming hardware gear & gadgets law & disorder home news articles guides journals forum shop.ars emporium rss from the newsdesk microsoft changes mind, agrees to fix ie's uri handler by jeremy reimer | published: october 11, 2007 - 03:23pm ct related stories microsoft: ie7 vulnerability reports are inaccurate microsoft acknowledges xmlhttp vulnerability a strange cross-browser vulnerability arose earlier this year that affected firefox users, but only if firefox was called from internet explorer. this bizarre bug involved uris in internet explorer that could invoke third-party applications such as firefox and then get them to execute arbitrary code. microsoft claimed that the responsibility was solely that of the third-party developers, whereas others put the blame on internet explorer itself. mozilla released a patch for firefox that fixed the bug, and in the inimitable style of internet arguing, this has convinced some people that microsoft was right all along and others that microsoft was wrong the whole time. now, to confuse the matter still further, microsoft employee jonathan ness has posted a note on his internet explorer blog explaining that microsoft is preparing to release a patch for internet explorer 7 that will mitigate some, but not all, of these uri issues. the uniform resource identifier (uri) is a superset of the url that identifies resources and instructs the browser on how to act on that resource. maliciously-formed uris can exploit bugs in the applications that they call in order to execute arbitrary code. simply taking out all uri functionality in order to prevent any bugs of this kind is not really possible: ness writes that "while we might have been able to make changes in some windows apis to block these attacks, doing so could break how the third party applications intended those protocol handlers to function." there are many useful functions that result from one application calling another, and removing this ability completely is not a good solution for most people. however, microsoft does feel that they can change a few things in the way internet explorer handles uris. "since we began investigating this situation in july there's been more discussion on how to potentially use this in attacks," writes ness. the fix being prepared is for internet explorer 7 users running on xp or windows server 2003: windows vista users running ie 7 are unaffected, and ness states that people still running ie6 are not affected either. still, he emphasizes that not all potential attacks will be mitigated by the patch, and that microsoft "recommends that the owners of the applications themselves address the potential issues since they understand their code the best." for example, a recent picasa flaw that could allow hackers to steal images cannot be fixed on the windows side without disrupting picasa's functionality. what the whole affair highlights is the fact that security is now everybody's problem—it's no longer enough to blame the maker of the operating system or the web browser, and it's no longer enough to keep just those two pieces of software updated. as the os and the web browser become increasingly hardened against attacks, hackers are going to increasingly target third-party software, especially since users are much less likely to keep these applications updated. filed under: uri, security, vulnerability, internet explorer, microsoft, software corporate critics feel the stinging lash of dmca misuse :next postextension of internet access tax ban passes house committee :prev post latest news posts latest journal posts shooting down sprint rumors: some risks even google can't afford microsoft unbundles hyper-v; oracle goes virtual eu to put google-doubleclick deal under the microscope u r sued: patent holding company targets 131 companies over sms patents fcc's fascination with cable regulation could lead to a la carte cable infringement in perspective: major movie bust fine dwarfed by riaa tab multicore, 64-bit x86 shakes up top 500 supercomputer list microsoft's musiwave acquisition could lead to zune wireless music store move aside, lego star wars: lego batman details surface bioware searching for writing talent for new mmo filemaker diversifies, offering yet another os x personal database app mac bu on entourage, powerpoint and messenger eu fails to offer competitve salaries for scientists new chax beta brings growl, log viewer back to leopard's ichat mii beauty pageant: hands on with the "check mii out" channel october leopard sales outpace windows in japan move aside, lego star wars: lego batman details surface new details about lego batman have surfaced, including confirmation that the game will follow in its predecessors footsteps with multiple characters, vehicles, and cooperative play. software engineer-perl at cambridge interactive development cambridge, ma software engineer, asp.net at logmein, inc woburn, ma software engineer c, c++ at logmein, inc woburn, ma sr. systems engineer, grid services operations at yahoo! inc. santa clara, ca sr. system administrator at logmein inc. woburn, ma vr on the cheap: a review of the vuzix iwear vr920 video eyewear we're only human after all: a review of ubuntu 7.10 gutsy gibbon a need for speed: 802.11n router roundup game-changer: asus eee pc a win for intel and linux, at microsoft's expense an interview with fake steve jobs and review of "options" microsoft tries to bribe its way into nigeriabackwards compatibilitytime for 1 version of vista, sell it for 199 and be done with it.figured i'd start a zune 2 thread w/ some very cool artworkfinder/explorer history copyright coalition: piracy more serious than burglary, fraud, bank robbery at&t willing to spy for nsa, mpaa, and riaa mpaa: we are committed to fair use, interoperability, and drm copyright © 1998-2007 ars technica, llc about ars technica | advertise | contact us | faq | privacy policy | reprints | rss feeds | subscribe

Acceuil

suivante

microsoft changes mind, agrees to fix ie's uri handler   Reifen Sommerreifen Winterreifen Ganzjahresreifen - Reifen-fix.de  FIX in Las Vegas, NV - AOL City Guide  Fixatif flexible en spray "Fructis-Style Pure Fix Spray"  Baby on the move : Coussin de relaxation et d'allaitement Form Fix  Les Forums de l'OGSTeam / [FIX]Problème PHP 5 et Ogspy // session  Paul Fix - Photos  Pritt World: Multi-Fix  AirNav: Fix Information  Robert M. Ball - A Social Security Fix For 2008 - washingtonpost.com  iFixit: iPod, iBook, & PowerBook Parts and Accessories  NASA delays spacewalk to fix solar wing International Reuters  We fix IT  puericulture - sorties - siège auto noir bebe confort créatis fix ...  Fix My Pages - FixMyPages.com - Web Page Repair  Attelage fix  Namespaces part 4.1 (What namespaces don't fix (part 1)) - David ...  Q-fix - home computer support  LUX ELEMENTS®- FIX - Tableau de chevilles  Mods Warlords v2.08 Hotseat Fix Civilization 4 : Warlords  Mod XX Century 2.11 Mi24 fix Civilization 4  Swarovski Hot Fix and Flat Back Crystal Rhinestones ...  The Hindu : International : Astronauts fix solar panel  Paroles Can You Fix This - Kate Ryan - Musique Ados.fr  Mac Rumors: Apple Acknowledges iMac Freezing Issue, Fix In Works  Huber Technology: Fix-Rail® Erweiterungselement  Decapitation Victim Tries To Fix Eyes - Health News Story - KGTV ...  SPACE.com -- NASA Eyes Space Shuttle Fuel Tank Fix  Flame Fix - Gas & Oil boiler service & repair & solar heating ...  Acheter et Telecharger Fix-It Utilities sur Softela.fr, N°1 ...  Télécharger Patch "Computer Player fix" pour Age of empires 2 ...  Zieh-Fix® Premium  Atreid : Produits > Logiciels > Modules externes vidéo - Film Fix ...  Fix Showproductions BV  Yes, the universe looks like a fix. But that doesn't mean that a ...  IBM - 6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 ...  Sommier LATTOFLEX LT15 Fix 2 pers. 140x200 Ferme / La Compagnie du ...  A Program That Can Fix Dead Pixels On Your LCD Screen.  Traduction Coldplay Fix You lyrics - musique traduite  FIFA KULTE, FCDB XP 2003 Fix 1.01  Foreign Policy In Focus Global Warming: The Quick Fix Is In  EASY FIX - Espace bébé & puériculture  Russia's food prices The big fix Economist.com  Fix the Home - Home Improvement & Home Maintenance Articles  eBay.ca : WINDOWS REPAIR FIX HARD DRIVE RECOVER LOST PASSWORD ...  eBay.ca : Photo Picture Image Retouch-Correction-Fix Service FAST ...  Teardrop Parts  Blackstreet : Fix (PAROLES)  Fixing glowing pet eyes with HP digital cameras - HP Digital ...  Test It, Fix It  Rolf Kauka's Fix & Foxi - RKFFc  FIX IT - Click to activate and use this control - Flash Java ...  CTV.ca Astronauts fix ripped solar sail during spacewalk  MacGyver Tip: Fix scratched CDs with toothpaste  Symantec Enterprise Security Manager™ Signature Fix  Fix-Saint-Geneys Annuaire d'informations 43320  Custom Race Fix - The Oblivion Database  Ellipse librairie — The PC Doctor's Fix-it-yourself Guide  Make builders, lenders fix the housing mess - MSN Money  Réparation et corrompu Fix Images »Raymond.CC Blog  ThinkGeek :: No I will not fix your computer Babydoll Tee