Microsoft has acknowledged scenarios where Internet Explorer 7 - running on top of Windows XP SP2, Windows XP Professional x64 and with SP2, as well as Windows Server 2003, the 32-bit and the 64-bit editions, both SP1 and SP2, along with Windows Server 2003 with SP1 or SP1 for Itanium-based Systems - provides fertile soil for a remote execution vulnerability. The exploits have been confirmed as being connected to an URL handling security flaw, but at the end of the past week, Microsoft informed that it failed to identify attacks related to the vulnerability.

Fraser Howard, principal virus researcher at Sophos, explained that the flaw only exists through the combination of Windows XP and Windows Server 2003 because of the alterations introduced in the way Microsoft's latest browser interacts with the Windows Shell. The Redmond company did reveal that it is working on a security update to address the vulnerability but failed to deliver a timetable for the availability of the patch. A security bulletin could be released with the upcoming Microsoft monthly patch cycle in November. The strongest argument pointing to such a possibility is the fact that the vulnerability is not exploited in the wild, and in this respect, the Redmond company will not see the need for an out of band update. Meanwhile, a patch is being offered by a third party.

"The problem enables attackers to construct potentially malicious URIs for use in mailto: or other URI handlers (e.g. http, news, nntp) in order to execute arbitrary programs. The nature of the vulnerability means that several applications can be used as attack vectors including specific versions of IE7, Firefox, mIRC, Acrobat Reader and Outlook/Outlook Express. Microsoft published a knowledge base article describing the issue last week. This week, an unofficial patch has been posted by KJK::Hyperion," Howard revealed.

"The patch consists of a ShellExecuteEx hook that prevents the execution of malformed URLs and enforces normalization of valid URLs. Programs registering custom URL schemes might not like, support or even know about normalized URLs: this patch will interfere with any such program to the point of unusability. The normalization proper is performed by Internet Explorer's low-level internet engine, which could mangle unknown URL schemes or otherwise act unpredictably when presented with abnormal input," revealed KJK::Hyperion, emphasizing the fact that the patch is "dramatically under-tested and it has undergone no quality assurance procedure whatsoever."