Exploit Released for Critical PC Hijack Flaw

A fully working exploit for a high-risk vulnerability fixed by Microsoft two days ago has been put into limited release, prompting new "patch now" warnings from computer security experts.
For consumers, Microsoft uses the Automatic Updates mechanism to push down updates but, in the enterprise, patches must go through rigorous test passes to ensure there are no conflicts with mission-critical applications.

On average, it could take a business a full month to fully test and deploy updates to every desktop, laptop, server or mobile device.

According to the MS07-004 bulletin that covers the VML flaw, IE 7.0 on Windows XP and Windows Server 2003 is indeed vulnerable.

Microsoft said the flaw was originally reported through its “responsible disclosure” process, but a note in the advisory says it was used in zero-day attacks before the Patch Day.

http://www.eweek.com/article2/0,1895,2082416,00.asp

Tested Microsoft Windows Components:

Affected Components:

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 — Download the update

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 — Download the update

Internet Explorer 7 on Microsoft Windows XP Service Pack 2 — Download the update

Internet Explorer 7 on Microsoft Windows XP Professional x64 Edition — Download the update

Internet Explorer 7 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 — Download the update

Internet Explorer 7 on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems — Download the update

Internet Explorer 7 on Microsoft Windows Server 2003 x64 Edition — Download the update

When this security bulletin was issued, had this vulnerability been publicly disclosed? No. Microsoft originally received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.

http://www.microsoft.com/technet/security/bulletin/MS07-004.mspx

For consumers, Microsoft uses the Automatic Updates mechanism to push down updates but, in the enterprise, patches must go through rigorous test passes to ensure there are no conflicts with mission-critical applications. On average, it could take a business a full month to fully test and deploy updates to every desktop, laptop, server or mobile device.

If I read this correctly, unless you happen to fall into the above catagory, this “Exploit” doesn’t affect you or me at all. :slight_smile:

As the report points out, there are many business users etc who won’t be patched for another month or so.

Also interesting that IE7 XP SP2 users have been exposed to attack before the patch was issued.

Microsoft said the flaw ... was used in zero-day attacks before the Patch Day.

Of course this will not have affected you or me Bob because we never go to bad sites. :wink:

Hi you Bob & FwF,

I think you are also safe as you only use IE7 for update purposes, and you use a small platform secured browser like PocketFlock with security extensions or pre-scan hyperlinks for that matter.
The only time I like to consider using IE7 is when I have to install an active X in Flock to be able to view certain media content.

polonus

Hi polonus,

The only time I like to consider using IE7 is when I have to install an active X in Flock to be able to view certain media content.
That's what makes us different... :) I only use Flock or FF when I'm doing some testing. IE7 is my default browser. ;D