Microsoft plans to fix a bug in the Windows operating system that has been blamed for a handful of critical vulnerabilities in Windows software. The flaw lies in the URI (Uniform Resource Identifier) handler technology that lets Windows users launch programs -- e-mail or instant messaging clients, for example -- through their browsers by clicking on specially crafted Web links. In July, security researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim"s PC.
Later, other researchers began exploring ways of misusing other programs to achieve similar results. To date, researchers have found ways to exploit this type of vulnerability in many products including Firefox, Outlook Express 6, and Adobe Reader 8.1. The problem lies in the way the PC"s software "sanitizes" these links to make sure attackers cannot successfully insert malicious code into them. Its solution has been a matter of dispute. Some security experts have said that Windows could do a better job in checking the links to make sure they were not malicious; Microsoft had insisted that this was the job of the people who were writing the programs that were being launched.