Exploit Wednesday follows MS Patch Tuesday

Summary:Less than 24 hours after Microsoft shipped fixes for code execution holes in Internet Explorer and Windows, proof-of-concepts for remote exploits are popping up on the Internet.

Less than 24 hours after Microsoft shipped fixes for code execution holes in Internet Explorer and Windows, proof-of-concepts for remote exploits are popping up on the Internet.

On security mailings lists and at the Milw0rm.com site, there are at least three exploits circulating. These provide a roadmap for attackers to launch remote attacks to take complete control of an Windows machine.

Two of the three target gaping holes in the dominant Internet Explorer browser -- flaws that could be exploited by simply luring the target to surf to a Web page. (See exploit code here and here).

The vulnerabilities -- in the Microsoft Speech API ActiveListen and ActiveVoice ActiveX controls -- have been patched with the MS07-033 bulletin so it's important to treat that update with the highest possible priority. * [ SEE: ‘Critical’ Vista, IE 7 patches highlight MS security updates ]

Will Dorman of the CERT Coordination Center explains the real-world risks:

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.

This patch applies to Internet Explorer 7 on Windows Vista.

Proof-of-concept code for a third exploit was released by Thomas Lim of COSEINC to provide technical details of of a "critical" flaw in the Secure Channel (Schannel) security package in Windows. This bug was patched with MS07-031.

* See step-by-step instructions on configuring Internet Explorer to run securely in our image gallery.

Topics: Browser, Microsoft, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.