With Exploit Out, Microsoft Rushes IE 7 Fix
Using Internet Explorer 7 on Windows XP PCs remains risky. Plus: Grab Microsoft's Office and mail fixes, and beware of PDF attachments.
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
Thursday, December 6, 2007; 3:19 PM
Microsoft finally stepped up work on a patch to address vulnerabilities in the way Internet Explorer 7 interacts with other programs. But with no fix available at press time, using IE 7 on Windows XP machines is risky business.
The problem lies in how IE 7 interacts, via its URI (uniform resource identifier) handler, with products such as Adobe's Acrobat Reader or Mozilla's Firefox. At first, Microsoft stonewalled, pointing a finger at Firefox; then, after acknowledging that the problem was its own, the company dragged its feet on a fix because no exploit existed. That changed when a PDF Trojan horse attack started making the rounds in October. Adobe patched Reader (see below), but that covers only one end of the worm hole.
Microsoft's patch has been in testing for a while and apparently will remain so for some time. My advice to Windows XP users: Stick with Firefox, version 2.0.0.6 and up, which already has a patch for the URI vulnerability. For more, read ourupdated information on the URI patch for IE 7.
The PDF attack that forced Microsoft's hand on the IE 7 fix described above also serves as a reminder: When it comes to unsolicited e-mail, trust no sender and no attachment, regardless of the file format.
The Trojan horse attack, which arrives in an infected Portable Document Format file, brings an old social-engineering ploy to PDFs, which malware filters usually don't vet. Carrying a subject line such as "invoice" or "bill", the tainted message's aim is to trick you into clicking. Don't.
Opening e-mail attachments is growing riskier. A Microsoft report found thatthe first half of 2007 saw a 150 percent increase in phishing scamsand a 500 percent increase in malicious payloads. If you don't have the Adobe PDF fix yet,obtain the patch at Adobe's site.
Three Critical Microsoft Fixes
Microsoft issued six security updates in its monthly Patch Tuesday round for October, including three "critical" patches. First on my list for a speedy fix installation:a memory corruption error vulnerability affecting users of Office 2000, Office XP, or Office 2004 for Mac.
Next up isa security hole present in Outlook Express 5.5 and 6, as well as in Windows Vista's Windows Mail.
Last on this "critical" list:a patch of Kodak Image Viewer for Windows 2000 users or people who upgraded from Windows 2000 Service Pack 4 to Windows XP. If you click a malicious link or visit a Web site with a poisoned URL (in a renegade banner ad, say), then you're in trouble.
For more details,read our discussion of this patch round.
Opera Software has patched two highly critical security flaws in its Web browser. If exploited, they could result in the complete takeover of your PC. To plug the holes,download the latest release of Opera.
