Microsoft has admitted its role in a security weakness in Internet Explorer that saw malicious websites installing and enabling the running of harmful code on a customer’s machine.
The u-turn comes after three months of Microsoft arguing that it was third party applications that were to blame for the security problems.
The debate start started after it emerged that malicious code could make IE launch Firefox and cause it to download and execute commands without the user being aware. Mozilla, the company behind Firefox, issued an immediate fix, but warned that IE was still vulnerable to making other third party applications run the code.
Microsoft has now admitted that it has worked out how the exploit works and have moved to close it. "Our plan is to revise our URI handling code within ShellExecute to be more strict," the author on a Microsoft blog wrote. "While our update will help protect all applications from malformed URIs, application vendors who handle URIs can also do stricter validation themselves to prevent malicious URIs from being passed to ShellExecute."