MS07-061

Another Microsoft Patch Tuesday has arrived with another set of bugs, however this Tuesday we only had one which was ranked critical and as it turns out it's the bug that I was working on last week. The advisory, given the MSB number MS07-061, refers to the issue with the way Windows XP and 2003 improperly handle URIs. The attack vector that was being used to leverage this vulnerability in the wild was a behavioral issue with Adobe Acrobat, which could be made to silently instruct the OS to resolve a "mailto" URI from within a PDF document. Incidentally, resolving a URI this way required no user intervention, which made it a perfect attack vector since many browsers will use the Adobe Reader plug-in to render PDF documents directly in the browser. I began working on reproducing the attack using this pair of bugs last week due to finding out that they were actively being exploited in the wild, thus making them fairly interesting to me. You can read my summary in a previous post of mine, Adobe Acrobat and IE7 are the Best of Friends for the full details. At the time of that analysis, Adobe had patched Acrobat so that it would no longer resolve mailto URIs silently, but of course that was only half of the problem; finding other methods of having the OS resolve malicious URIs was entirely possible. Microsoft, however, has now patched their half of the problem via today's patch.