After much debate over a recently discovered protocol-handling flaw, which Microsoft claimed was a problem with third party software, the software giant has announced it is indeed working on a patch. The flaw, which affects Windows XP and 2003 systems running IE 7, lies in the URI handling component, allowing users to launch malicious programs by clicking on specially crafted links.
In recent months, researchers outlined vulnerabilities in Firefox and Internet Explorer that could allow an attacker to execute malicious code and compromise a target system. Later on, researchers discovered similar problems with other applications, including Adobe Reader and Outlook Express, suggesting that the problem wasn't with a single application, but rather with the way that Windows handles messages between a web browser and other applications.
Microsoft now agrees with that assessment and will issue an update to a Windows function known as ShellExecute so that it sanitizes the links it is processing. Microsoft gave no expected release date for the update, however. As always, users are advised not follow un-trusted links or browse un-trusted websites.