Microsoft Changes Tune on IE7 Vulnerability
Reversing its initial assessment, Microsoft on Wednesday acknowledged that it needs to fix a vulnerability in its Internet Explorer 7 Web browser that could allow malicious Web sites to install unwanted software on Windows XP and Windows Server 2003 machines.
Evidence of the flaw first surfaced in June, and not long after Firefox browser maker Mozilla shipped a security update to fix a problem wherein a nasty Web site could use the mere existence of IE7 on a Windows machine to force Firefox to launch pretty much any application already installed on Windows, simply by convincing the user to click on a specially crafted link.
Mozilla said its update prevented the Windows flaw from using Firefox as the vehicle for hacking a vulnerable system, but that the nature of the vulnerability meant that attackers could force pretty much any other Windows software application to open up a virtual backdoor on PCs and let bad guys install malicious software of their choosing.
Microsoft maintained for months that this was not the result of a Windows design flaw. Throughout, Microsoft's stance was that it had "thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."
Fast-forward to Wednesday, when the company issued a security bulletin essentially acknowledging that Mozilla's initial prognosis was correct, at least for "supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed." Interestingly, Microsoft says this vulnerability does not affect IE7 on Windows Vista, IE6 or earlier versions on Windows XP.
Microsoft concedes that attackers could exploit this flaw merely by convincing a Windows user to click on a link in an e-mail. The company says it is not aware of any malicious Web sites actively exploiting this vulnerability and that it is crafting a security update to plug this security hole.
But the sticky party here is that instructions showing criminals precisely how to exploit this flaw to break into Windows computers was posted online some time ago. Indeed, security provider Symantec warns that "with the ease of exploitation, the availability of public proof-of-concept code, and further attention that this vulnerability is receiving, it is likely this issue will begin to see more exploitation in the wild."
Not sure what "Eureka!" moment caused Microsoft to change its tune on this, but here's hoping they ship a fix before cyber crooks start exploiting the flaw for financial gain.
In other Windows vulnerability news, Symantec says it has seen evidence that cyber crooks are now exploiting a flaw in certain Microsoft Office file formats that could be used to compromise Windows PCs. While Microsoft on Tuesday shipped a software patch to fix this particular vulnerability, it is likely to remain unfixed on millions of Windows PCs for some time. That's because the group most at risk from this flaw are Office 2000 users. While Microsoft makes most security updates available through its Microsoft Update site, Office 2000 users must make a separate trip over to the Office Update site to download fixes. In a further complication, the default installation process for Office 2000 patches requires the user to have the original Office installation discs handy.
Posted by: Tim | October 11, 2007 11:22 AM | Report abuse
Posted by: Bk | October 11, 2007 11:39 AM | Report abuse
Posted by: ct47DB | October 11, 2007 12:08 PM | Report abuse
Posted by: Dan Veditz | October 11, 2007 1:00 PM | Report abuse
Posted by: DOUGman | October 11, 2007 1:38 PM | Report abuse
Posted by: steveballmer | October 11, 2007 4:37 PM | Report abuse
Posted by: Anonymous | October 12, 2007 12:58 PM | Report abuse
Posted by: ct47DB | October 13, 2007 10:19 AM | Report abuse
Posted by: ct47DB | October 13, 2007 10:22 AM | Report abuse
Posted by: wng_z3r0- MVP security | October 14, 2007 8:32 PM | Report abuse
Posted by: wng_z3r0- MVP security | October 14, 2007 9:41 PM | Report abuse
Posted by: medin | October 16, 2007 12:02 AM | Report abuse
Posted by: Steve Ballmer | October 16, 2007 7:56 PM | Report abuse
Posted by: aeschylus | October 17, 2007 12:39 AM | Report abuse
The comments to this entry are closed.