The Windows URI exploit: Whose Bug Is It, Anyway?

Microsoft is fixing a well-known bug in Window XP and Windows Server 2003 that has been at the root of vulnerabilities. The bug relates to the Uniform Resource Indicator (URI) handler in Windows that allows you to launch other programs to support a clicked link.

Previously, Microsoft had blamed bugs related to the URI call on sloppy coding in the programs that use the call. The argument had been that the software using the call should actually check to see if the thing being clicked is a valid URI, and not some attempt to execute arbitrary code.

It seems like a perfectly rational position, on the surface. Windows is just the messenger, so why kill the messenger? But with so much of the functionality in much of the software we use every day now based on Windows system calls of one sort or another–either in the name of developer productivity or for better integration into Microsoft’s millieu—software developers on Windows have become extremely dependent on the underlying platform to handle basic tasks.

That kind of dependency is why we end up having to test patches so thoroughly before we deploy them. And that, in truth, may be why Microsoft’s team has been so reluctant to patch this one — the interdependencies on the URI handler across all of the software someone in a networked office uses is unknowable. It’s not uncommon for developers to take advantage of a certain slushiness in a function call like the ShellExecute() function that’s at issue here to finesse application functionality in ways unexpected by Microsoft (or anyone else), because developers are clever (and often half too clever for their own good).

Microsoft relented on Thursday, and announced that they’d fix the thing. But I’m betting the patch will need some serious review by IT staffs before it gets pushed out to system.