- Related Stories
-
Zero-day attacks continue to hit Microsoft
September 27, 2006 -
Microsoft rushes out 'critical' fix
September 26, 2006
On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.
"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."
While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.
Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.
On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.
The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.
Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.
Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said.
See more CNET content tagged:
flaw, vulnerability, fix, Microsoft Corp., Microsoft Internet Explorer




If you want to escape this treadmill, just head for http://www.mozilla.com and get away from the mess (well, mostly - you're still stuck with supporting IE if you have Windows. Fortunately the free copy of IE that came with my Mac was flushed down the crapper less than five seconds after I opened Safari :) )
/P
What's funny about all of this is as a browsers market share increase, so does the bugs that are discovered.
Macintosh.. no virus's as the commercials say? Don't crash like the commercials say? Yea right...
If it had more than a single digit market share there would be trojans and virus's and everything else out there the only reason there is not is because why target an audience that is so small if your goal is to cause problems.
Don't forget to put on that penguin hat.
Then why is it MS has an insignificant market share for web servers, yet the highest amount of high impact vulnerabilities and hacks?
http://news.netcraft.com/archives/web_server_survey.html
MS has steadily DECLINED in market share since early 2002. (The recent increases were due to massive amounts of domains being 'parked' on Windows (virus) servers. Anyone worth his/her weight in paper chooses a reliable and secure platform to run an Internet server on, not a Microsoft platform.
Oops
Back in 1995, that was news... but now... 11 years later in 2006...
That's moronic!!!
Walt
Zero Day means the exploit is available the same day a vulnerability is known about. Please consider revising the title.
Once you go Mac,
YOU NEVER GO BACK..!!!
There are rumors about reasonable Mac owners who don't spend every waking moment looking for fault with others, but so far I haven't found that many and this person is a perfect example of giving Mac users a bad name.
http://news.com.com/Apple+releases+Mac+OS+X+security+update/2100-1002_3-6121372.html?tag=nefd.top
Hypocrisy is a terrible thing to waste.
- Microsoft Admits ActiveX Not Safe
- by maxwis May 5, 2008 6:01 AM PDT
- Now why would Microsoft turn off by default ActiveX and Active scripting in Windows Server? Because they knew that it provided a vector for an infection that they had no defense against. The smoking gun. Solution to today's Zero Day attack warning: Use a browser that does not support ActiveX.
- Reply to this comment
-
-
- agree
- by qwerty75 September 29, 2006 12:46 PM PDT
- Out of all the terrible ideas from Redmond, this is one of the worst.
-
-
- have you ever
- by gggg sssss September 29, 2006 7:35 PM PDT
- actually run a server? Server 2003 specifically? Any clue about why a developer would use activex in a web page? Why tyehy woudl use this particular WebFolder control in a web page that woudl be relevant to running a server?
-
-
- Microsoft backed themselves into a strange corner
- by wbenton September 30, 2006 5:32 AM PDT
- Now that they've got everybody rushing to turn off Active-X... how are they going to push their next security releases which require IE using Active-X... (* LOL *)
- View reply
Processing -
(37 Comments)http://www.microsoft.com/technet/security/advisory/926043.mspx
"By default, Internet Explorer on Windows 2003 Server runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default."
ActiveX was poorly designed and even poorly implemented. Why they don't ditch it, is beyond me.
The gains to online security far outweigh the losses due to shortsighted people having to rewrite software that was dependant on ActiveX.
MS probbaly somehwere also suggests that teh server not be used to play Doom as well. Do you question that also?
Seriously, I could care less either way... but it does put them and their users in quite an awkard position!!! (* CHUCKLE *)
Walt