IE 7 recent bug re-opens debate over patch responsibilities

Security researchers are again arguing over who is responsible -- Microsoft or third-party developers -- for protocol-handling bugs after a researcher on Friday said Internet Explorer 7 can be used to trick users into launching malware. Posting to the Full Disclosure mailing list, Juergen Schmidt, a researcher at Heise Security, blamed IE 7 for passing […]

Security researchers are again arguing over who is responsible -- Microsoft or third-party developers -- for protocol-handling bugs after a researcher on Friday said Internet Explorer 7 can be used to trick users into launching malware.

Posting to the Full Disclosure mailing list, Juergen Schmidt, a researcher at Heise Security, blamed IE 7 for passing invalid Uniform Resource Identifiers (URI) to Windows XP. Specifically, said Schmidt, IE 7 accepts URLs from other applications that include the "%" [percent] character, which can launch software or scripts on users' machines if they click on a malformed link.

According to Schmidt and others, the earlier IE 6 doesn't have the bug, indicating that something broke between versions. "Post-IE7 has a flaw/threat/vulnerability it hasn't had pre-IE7," said Thierry Zoller, a penetration tester at German security firm n.runs.

Full Article

Microsoft, Internet Explorer 7, IE7, But, Flaw, Exploit, Vulnerability, Protocol-handling bug, Malware, Security