A fully working exploit for a high-risk vulnerability fixed by Microsoft two days ago has been put into limited release, prompting new "patch now" warnings from computer security experts.
For consumers, Microsoft uses the Automatic Updates mechanism to push down updates but, in the enterprise, patches must go through rigorous test passes to ensure there are no conflicts with mission-critical applications.On average, it could take a business a full month to fully test and deploy updates to every desktop, laptop, server or mobile device.
According to the MS07-004 bulletin that covers the VML flaw, IE 7.0 on Windows XP and Windows Server 2003 is indeed vulnerable.Microsoft said the flaw was originally reported through its “responsible disclosure” process, but a note in the advisory says it was used in zero-day attacks before the Patch Day.
http://www.eweek.com/article2/0,1895,2082416,00.asp
Tested Microsoft Windows Components:Affected Components:
•Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 — Download the update
•Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 — Download the update
•Internet Explorer 7 on Microsoft Windows XP Service Pack 2 — Download the update
•Internet Explorer 7 on Microsoft Windows XP Professional x64 Edition — Download the update
•Internet Explorer 7 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 — Download the update
•Internet Explorer 7 on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems — Download the update
•Internet Explorer 7 on Microsoft Windows Server 2003 x64 Edition — Download the update
When this security bulletin was issued, had this vulnerability been publicly disclosed? No. Microsoft originally received information about this vulnerability through responsible disclosure.When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.
http://www.microsoft.com/technet/security/bulletin/MS07-004.mspx