Just days after Microsoft announced its plans to fix a bug in Windows XP and Server 2003 on PCs with Internet Explorer 7, a researcher has posted an unofficial patch for the Windows URI bug.

According to Computer World, a researcher going by the name KJK has released a patch dubbed “ShellExecuteFiasco” by posting a link on both his Web site and the Full Disclosure security mailing list.

The patch, when installed, captures malformed URLs and converts them to a normalized form before allowing them to be executed.

His technique commonly called URL normalization is the same technique used by most search engines, which stripe off the “www” part of a URL and convert the remaining part to lowercase to reduce indexing of duplicate pages.

However, the application of this patch is at users’ risk, KJK warned.

“The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care,” he said in the notes accompanying the fix. “It has a very good chance of misbehaving and making your system unusable.”

The implementation of this patch seems to be risky. Users who are not on a hurry are advised to wait for the Microsoft patch. At least, Microsoft has declared its intention to provide a patch for this bug, although the company has failed to disclose any timetable for its release.

Related:

Entry was posted on Tuesday, October 16th, 2007 at 4:49 am under Microsoft, Technology.

Read more entries by Ruben Francia.
Stumble It!