A bug in IE7 affecting how the browser handles URIs that launch external programs, patched today, has rekindled discussions about the responsibilities of protocol handlers. While some say the browser developers should be held responsible, others say it is a Windows problem.
From what I have read about the issue, dozens of programs are potentially vulnerable. The vulnerability is reportedly in the way Windows handles the launching of programs, not in Internet Explorer or Firefox (both of which were affected by the earlier QuickTime protocol bug). I would say that the responsibility of fixing the problem falls on Microsoft in that case, except the software giant has already stated that the problem is in the external programs (this statement came after the QuickTime bug, earlier this year).
Microsoft can’t be reasonably expected to cover all the bases when it comes to external apps, of course, but modifying individual programs creates a lot more work. Perhaps the solution is to disable external app launching altogether, though a lot of users would probably object to that. Maybe the fix should be a concerted effort between Microsoft and affected programs, with the entities working together to produce fixes in both products that will both fix the current flaw and prevent similar problems from cropping up again.