Microsoft has taken the unusual step of taking responsibility for an Internet Explorer security loophole that it previously didn't want to fix. The vulnerability could be used to execute malicious code on an affected machine.
The corporation had previously shifted the focus to third-party apps when the vulnerability was reported back in July. As we reported at the time, the application in question was Firefox; Internet Explorer was used to execute malicious commands via Firefox. As Jonathan, from the Microsoft Security Response Center (MSRC) now says.
Microsoft didn't act upon the problem at the time and it was generally thought that Microsoft was just leaving it to third-party software vendors to make sure its apps didn't accept bad code, rather than prevent it getting through in the first place. "While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the 3rd party applications [functioned], says MSRC.
URI handling code
The issue revolves around URI handling code. This is the instructions that mean you can click on an email address and IE will launch your email client with an open email.
Microsoft has now found further issues involving URI handling code - hence its change of tune. "One of the reasons we are releasing this Advisory is due to increased risk given recent discussions about how this vulnerability could be used in attacks," continued the MSRC.
"We want customers to know that we have been investigating the URI vulnerability covered in this advisory since it was publicly reported in July and will be issuing an update once development and testing is complete."