Cybercrooks add Windows flaw to arsenal

Attackers have added another, yet-to-be-patched Windows flaw to their arsenal, experts warned Saturday.

Cybercrooks have started exploiting a flaw in the Windows Shell only days after sample attack code for the vulnerability surfaced. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, experts said.

“There are professionals at work using the exploit code,” security firm Websense said in an alert. The miscreants taking advantage of the flaw appear to be part of the same group that in December used another Windows flaw to hoist spyware onto PCs, Websense said. That flaw stemmed from the way Windows handled Windows Metafile, or WMF images.

Microsoft warned of the Windows Shell flaw on Thursday. The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon

http://news.zdnet.com/2100-1009_22-6121584.html

Hi drhayden1,

Funny that MS gives the advice to use one of the alternate browsers to avoid this flaw until the patch comes out. The IE browser is showing its brittleness now every day.

polonus

polonus,
MS said nothing about using another browser.
The Quote in that article was as follows:

Windows users can protect themselves by following the guidance Microsoft gives in its advisory, switching to a non-Microsoft Web browser, or installing security software such as Exploit Prevention Labs' SocketShield.

Please note the comma after “following the guidance Microsoft gives in its advisory” and “to a non-Microsoft Web browser” .
These are 2 separate statements made by the writer of this article.
It isn’t something said by Microsoft.