Another zero-day threat hits Windows

By Joris Evers, News.com
Posted on ZDNet News: Sep 29, 2006 5:33:00 PM

Sample code is circulating on the Internet for an attack using a flaw that Microsoft knows about, but has not yet fixed.

On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.

"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."

While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.

Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.

On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.

The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.

Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 71 Talkback(s)

Thread View
Flat View

Integrating Browser Was An OK Idea: For some time Windows products have had html based help. (The benefit of using an existing technology, rather than inventing a new one from scratch seems OK to me)
Given that the help is in html, ... (Read the rest); Posted by: LinuxAndWindows Posted on: 10/02/06 You are currently: Logged In | Log out

Wow! Staggering! Linux User 147560 | 09/29/06

No new news here DarthRidiculous | 09/29/06

Naw... Linux User 147560 | 09/29/06

(nt)It doesn't snow much in Antactica toadlife | 09/29/06

True, its a snow covered desert(NT) DarthRidiculous | 09/29/06

Clearly you haven't been there zkiwi | 09/29/06

Ya... hjmulholland | 09/29/06

No rain's here Justin Carmichael | 09/29/06

As for the exploits Justin Carmichael | 09/29/06

With all the effort invested in bringing Vista out on time, how much Dr-T | 09/29/06

The only solution to past problems ... Henaway | 09/29/06

Legacy Support agies1@... | 09/29/06

Re: Legacy Support too_much green_tea | 09/29/06

or... LinuxHippie | 09/29/06

AMEN!! tribeliker | 09/29/06

Ever heard of "sandboxes" or "virtual machines"? Knorthern Knight | 09/29/06

Wet Behind Ears wjkahlssmd@... | 10/01/06

Great Idea the_seb | 10/02/06

Your promotion of dropping legacy djc1309@... | 09/29/06

I wish that MS would use a stable and secure kernel Dr-T | 09/29/06

I have a theory about Microsoft and backwards compat... Linux User 147560 | 09/30/06

Funny you say that Suicida| | 09/30/06

have U heard of Intel and Itamium ? nt michael_t | 09/30/06

Instead of denying users the use of IE7... bportlock | 09/29/06

IE7... darthgummibear | 09/30/06

Boeing Right, Integrating Browser Was Bad Idea mighetto | 09/29/06

Integrating IE has little to do with this PB_z | 09/29/06

It has everything to do with it... techboy_z | 09/29/06

Kernel privileges? PB_z | 09/30/06

Yes, but ... phburks | 10/01/06

I agree darthgummibear | 09/30/06

Integrating Browser Was An OK Idea LinuxAndWindows | 10/02/06

They should be called "Zero Brain" attacks rlee@... | 09/29/06

It's not about 'properly protecting networks' Zeppo9191 | 09/29/06

Oh really? techboy_z | 09/29/06

Your response makes no sense TripleII | 09/29/06

I think he meant filtering Suicida| | 09/29/06

Thanks TripleII | 09/30/06

Zero Brain is right mdsmedia | 09/30/06

Silly rabbit moonchacha | 09/30/06

You just go on believing that

mdsmedia | 09/30/06

Your respose is flawed happ99 | 10/01/06

Not everyone is an IT expert like you are... BitTwiddler | 09/30/06

what about us happ99 | 09/30/06

When is Microsoft gonna get it?! Zeppo9191 | 09/29/06

WTF??!?!?!?!!!?!?!! Suicida| | 09/29/06

Missing the point entirely... Zeppo9191 | 10/02/06

Another zero-day threat hits Windows. itanalyst | 09/29/06

Sorry Suicida| | 09/29/06

heh... darthgummibear | 09/30/06

try again happ99 | 10/01/06

Nothing new here . . . brian ansorge | 09/29/06

What's sucks is...... todbran@... | 09/29/06

an expensive patch... darthgummibear | 09/30/06

ActiveX Rearchitecture moonchacha | 09/30/06

Information Bar? interested_amateur@... | 10/01/06

Active X happ99 | 10/01/06

Virtually no websites depend on ActiveX. Quit using IE and see. Resuna | 10/02/06

You all miss the big picture TripleII | 09/29/06

yup... darthgummibear | 09/30/06

FIX THE HTML CONTROL, MICROSOFT! Resuna | 09/29/06

One of these days... Knorthern Knight | 09/29/06

Be careful what you said, Grayson Peddie | 09/30/06

I really don't care mdsmedia | 09/30/06

Where is Waldo? Rick_K | 09/30/06

The "Patch Tuesday" idea needs to be killed off... BitTwiddler | 09/30/06

Why fix it right away? happ99 | 09/30/06

Malware then and now... Boomslang | 10/01/06

The Begining Of The End DontFeedTrolls | 10/01/06

Who pays... interested_amateur@... | 10/01/06

Well, Microsoft will be dead and gone by next year Boot_Agnostic | 10/02/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Sports and Technology
Major League Baseball pitches new app to iPhone users At Apple's Worldwide Developers Conference in San Francisco, Jeremy Schoenherr of MLB.com demos At-Bat, a new iPhone app from Major League Baseball.
View the ZDNet video to learn more
The SF Giants' new hi-tech ballpark SF Giants CIO Bill Schlough discusses new technology upgrades at AT&T Park and outlines his dual role- managing technology operations at the backend while using hi-tech to improve player performance on the field.
View the ZDNet CIO Vision Series video
From our Sponsors
Fantasy Football
3 Great Ways To Play Fantasy Football Play for free, play to win cash prizes- up to $3500, or customize your own league.
Learn More »

Another zero-day threat hits Windows

SponsoredWhite Papers, Webcasts, and Downloads

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads