After three months, Microsoft has finally announced that it will be fixing what has been known in security circles as the URI (Uniform Resource Identifier) flaw in Internet Explorer 7.
The following excerpt from TechTarget nicely summarizes the issue:
A flaw in Windows XP and Server 2003 fails to properly validate URIs and URLs, allowing an attacker to execute arbitrary commands. If Internet Explorer 7 is installed, malicious URIs may be passed through it via several third-party applications like Adobe Acrobat Reader, mIRC, Mozilla Firefox, Skype, or Miranda IM.
A security advisory has been released, and hopefully, a patch will be out soon.
To read more:
- Additional details and background on Security Advisory 943521 (MSRC Blog)
- Microsoft warns of dangerous Windows URI vulnerability (SearchSecurity.com)
- Microsoft will patch IE7 ‘URI’ hole (PC World)
- Microsoft comes clean on URI holes (VNUNet)