Microsoft last week released the Microsoft Security Advisory 943521 detailing a recently discovered URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7, other applications affected include Firefox, Skype, Acrobat Reader, Miranda and Netscape.. According to Microsoft, Vista and earlier versions of IE are safe.

The United States Computer Emergency Readiness Team (US-CERT), on its Website, gave an example of how the flaw could be exploited: “For example, a “safe” protocol such as mailto: may be incorrectly handled with an “unsafe” application, such as the Windows command interpreter. This can allow the unexpected execution of arbitrary commands.”

After being notified by Heise Security, Firefox fixed this problem with security update 2.0.0.6. Skype also fixed the problem with security update 3.5.0.239.

The Microsoft security advisory did not state when an update would be ready, but the next monthly “Patch Tuesday” release is scheduled for 13 Nov 2007.

On the Microsoft Security Response Center website, Jonathon Ness wrote “Our plan is to revise our URI handling code” he then continued “While our update will help protect all applications from malformed URI’s, application vendors who handle URI’s can also do stricter validation themselves to prevent malicious URI’s from being passed.”

.