The Windows URI handler problem is finally getting a fix today. Microsoft is changing the function ShellExecute() so it sanitizes any links it processes. The flaw has been blamed for many vulnerabilities in other programs, vulnerabilities Microsoft originally said were not its problem. The software company has since reversed its position. The patch’s release date has not been revealed, but the next set of patches is due November 13.
Not all URI handling vulnerabilities will be fixed, though. Depending on how Microsoft implements changes, the changes will go only so far, but bugs in other applications that are exploited after Windows’ processing will not be affected. Vulnerabilities exploiting intended uses of URI handlers, such as a recently-discovered Picasa exploit, will not be fixed, and in fact cannot be fixed by changes to Windows.