Another zero-day threat hits Windows

Sample code is circulating on the Internet for an attack using a flaw that Microsoft knows about, but has not yet fixed.

On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.

"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."

While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.

Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.

On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.

The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.

Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said.

[Sparky672]

ho hum... more of the same.

I'm shocked, shocked I tell you.

[fc11]

This is Active X control again. You should set IE sec level to high

Active X controls are evel. Set your IE security settings for internet Zone to High or medium to prevent all active X controls from running.

[Penguinisto]

Okay, so NOW does everyone agree that ActiveX is bad?

...I mean, really folks. This is a patch to a patch to a patch to a patch now.

If you want to escape this treadmill, just head for <a class="jive-link-external" href="http://www.mozilla.com" target="_newWindow">http://www.mozilla.com</a> and get away from the mess (well, mostly - you're still stuck with supporting IE if you have Windows. Fortunately the free copy of IE that came with my Mac was flushed down the crapper less than five seconds after I opened Safari :) )

/P

[panazule]

Not really

I'd agree your a petty little microsoft basher.

What's funny about all of this is as a browsers market share increase, so does the bugs that are discovered.

Macintosh.. no virus's as the commercials say? Don't crash like the commercials say? Yea right...

If it had more than a single digit market share there would be trojans and virus's and everything else out there the only reason there is not is because why target an audience that is so small if your goal is to cause problems.

Don't forget to put on that penguin hat.

[zaznet]

I agreed to that a long time ago.

I knew ActiveX was insecure long before the first exploit or patch. Same as I kne IE was insecure long before and the same as I knew VB Script embeded in Word and Excel was insecure. It was just poor design from the start that got Microsoft into this trouble. ActiveX was designed without a single concern for security, and has since had many patches applied to change that.

[extinctone]

Hey panazule! The "market share" to "threat level" argument is bogus.

&gt;If it had more than a single digit market share

Then why is it MS has an insignificant market share for web servers, yet the highest amount of high impact vulnerabilities and hacks?

<a class="jive-link-external" href="http://news.netcraft.com/archives/web_server_survey.html" target="_newWindow">http://news.netcraft.com/archives/web_server_survey.html</a>

MS has steadily DECLINED in market share since early 2002. (The recent increases were due to massive amounts of domains being 'parked' on Windows (virus) servers. Anyone worth his/her weight in paper chooses a reliable and secure platform to run an Internet server on, not a Microsoft platform.

[gggg sssss]

then explain

why that little red squiggley MS line seems to be heading UP since March 2006 whiel all of teh other lines are heading down. At that rate they MS will cross teh appache line in 2008

Oops

[wbenton]

News TOO OLD!!!

&gt;&gt;&gt;that Microsoft knows about, but has not yet fixed&lt;&lt;&lt;

Back in 1995, that was news... but now... 11 years later in 2006...

That's moronic!!!

Walt

[zaznet]

Not "Zero Day" Exploit

This is a vulnerability that was known 2 months ago. How can it be "Zero Day" two months later? It is simply an unpatched vulnerability that exploit code is now available for, 2 months later.

Zero Day means the exploit is available the same day a vulnerability is known about. Please consider revising the title.

[imacpwr]

Windows: The Most UNsecure OS Online Today..!!

Oh am I sooooo happy I switched to a Mac last year...!!!!

Once you go Mac,

YOU NEVER GO BACK..!!!

[Vegaman_Dan]

You never go back!

You never go back once you buy a Mac- because your brain turns off! You don't bother reading articles before spouting rheotoric! You become yet another Mac Zombie.

There are rumors about reasonable Mac owners who don't spend every waking moment looking for fault with others, but so far I haven't found that many and this person is a perfect example of giving Mac users a bad name.

[Vegaman_Dan]

Because Macs are Perfect

You'll never go back. Nope. Not when you can use another operating system that *ALSO* has security flaws and the OEM has released patches for it.

<a class="jive-link-external" href="http://news.com.com/Apple+releases+Mac+OS+X+security+update/2100-1002_3-6121372.html?tag=nefd.top" target="_newWindow">http://news.com.com/Apple+releases+Mac+OS+X+security+update/2100-1002_3-6121372.html?tag=nefd.top</a>

Hypocrisy is a terrible thing to waste.

[maxwis]

Microsoft Admits ActiveX Not Safe

Now why would Microsoft turn off by default ActiveX and Active scripting in Windows Server? Because they knew that it provided a vector for an infection that they had no defense against. The smoking gun. Solution to today's Zero Day attack warning: Use a browser that does not support ActiveX.

<a class="jive-link-external" href="http://www.microsoft.com/technet/security/advisory/926043.mspx" target="_newWindow">http://www.microsoft.com/technet/security/advisory/926043.mspx</a>
"By default, Internet Explorer on Windows 2003 Server runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default."

[qwerty75]

agree

Out of all the terrible ideas from Redmond, this is one of the worst.

ActiveX was poorly designed and even poorly implemented. Why they don't ditch it, is beyond me.

The gains to online security far outweigh the losses due to shortsighted people having to rewrite software that was dependant on ActiveX.

[gggg sssss]

have you ever

actually run a server? Server 2003 specifically? Any clue about why a developer would use activex in a web page? Why tyehy woudl use this particular WebFolder control in a web page that woudl be relevant to running a server?

MS probbaly somehwere also suggests that teh server not be used to play Doom as well. Do you question that also?

[wbenton]

Microsoft backed themselves into a strange corner

Now that they've got everybody rushing to turn off Active-X... how are they going to push their next security releases which require IE using Active-X... (* LOL *)

Seriously, I could care less either way... but it does put them and their users in quite an awkard position!!! (* CHUCKLE *)

Walt