Microsoft Warns of More "Zero-Day" Exploits
Microsoft Corp. is warning Windows users to be on guard against a couple of unpatched security holes in its products that criminal hacking groups are actively exploiting.
According to an advisory issued on Friday, Microsoft's implementation of XML contains a flaw that bad guys can use to compromise Windows machines just by getting them to visit certain Web sites with Internet Explorer. The other problem, covered by an advisory released last Tuesday, resides in Microsoft's Visual Studio 2005 and is similarly exploitable.
Microsoft has had a tough time this year with so-called "zero-day" (or 0day) attacks -- those in which the bad guys leverage a previously undocumented software security hole to compromise computers hooked up to the Internet. Last year, Microsoft had to deal with just four zero-day attacks. From January through October of 2006, the company has had to chase down no fewer than 14 such attacks by my count, with most surfacing just after Microsoft's regularly scheduled monthly software patch release. Now it looks like we can add two more to that number.
Last week, Security Fix wrote about the "Month of Kernel Bugs" project, which promises to present proof of a new, undocumented security hole for each day of November. Today's bug is one that was actually reported to Microsoft back in Oct. 2004, according to Cesar Cerrudo from Argeniss, the guy credited with discovering the vulnerability.
The comments to this entry are closed.