Skip to main content
MSRC

ShellExecute

MS10-007: Additional information and recommendations for developers

Tuesday, February 09, 2010

Today we are releasing MS10-007 to address a URL validation issue generally applicable to the ShellExecute API. How would a malicious user leverage this vulnerability? This issue involves how ShellExecute handles strings that appear to be legitimate URLs, but are malformed such that they result in execution of arbitrary code. Various technologies use ShellExecute to initiate a browser navigation.