Microsoft Fixes URI Handler Flaw

closeThis post was published 12 years 9 months 28 days ago. A number of changes have been made to the site since then, so please contact me if anything is broken or seems wrong.

The Windows URI handler problem is finally getting a fix today. Microsoft is changing the function ShellExecute() so it sanitizes any links it processes. The flaw has been blamed for many vulnerabilities in other programs, vulnerabilities Microsoft originally said were not its problem. The software company has since reversed its position. The patch’s release date has not been revealed, but the next set of patches is due November 13.

Not all URI handling vulnerabilities will be fixed, though. Depending on how Microsoft implements changes, the changes will go only so far, but bugs in other applications that are exploited after Windows’ processing will not be affected. Vulnerabilities exploiting intended uses of URI handlers, such as a recently-discovered Picasa exploit, will not be fixed, and in fact cannot be fixed by changes to Windows.


I am an avid technology and software user, in addition to being reasonably well-versed in CSS, JavaScript, HTML, PHP, Python, and (though it still scares me) Perl. Aside from my technological tendencies, I am also a theatre technician, sound designer, violinist, singer, and actor.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail (or subscribe without commenting)

Comments are subject to moderation, and are licensed for display in perpetuity once posted. Learn more.