Microsoft has issued a rare out-of-pocket security alert concerning the current version of Internet Explorer. The newly discovered vulnerability affects Windows XP, Server 2003 and Windows 2000 but not Vista, and it does not affect Internet Explorer 6.0 or earlier. It only involves XP/2000/Server 2003 running IE 7.
In a posting to its security blog, Microsoft said the threat presents itself when Windows does not correctly handle specially crafted URLs or URIs that are passed to it.
Internet Explorer 7 updates a Windows component, which modifies the interaction between Internet Explorer and Windows Shell when handling URLs and URI’s. Applications that pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability.
In order for an attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application. For example, a user could click on a link in an e-mail message, which could allow arbitrary code to be run in the context for the logged on user.
For a more in-depth examination of the error, Microsoft’s Security team has posted a lengthy technical discussion on the flaw.
Microsoft’s only recommendations at this point are to keep a firewall running on user machines and check for updates, which would indicate a fix is coming outside of its normal monthly Patch Tuesday schedule.