In the wake of this week's malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw -- in the Windows operating system -- is still not fixed.
The advisory, first issued on October 10, points to an unpatched code execution hole in Windows XP and Windows Server 2003 (with Windows Internet Explorer 7 installed). While applications like Adobe Reader/Acrobat are currently being used as the vector for attack, Microsoft is making it clear that patches from third-party vendors aren't a cure-all for this bug.
"[B]ecause the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability - they just close an attack vector," says Bill Sisk, a member of Redmond's security response communications team.
Following the PDF-borne attacks, which use a combination of Trojan downloaders and rootkits to steal data from infected computer, Sisk said Microsoft triggered its Software Security Incident Response Plan (SSIRP), a process that handles all aspects of response to an computer/Internet attack.
As part of our SSIRP process we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution. Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues.
To help protect yourself during the interim we continue to recommend that you should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources and/or visiting untrusted websites. This is absolutely one of the most effective ways to help protect yourself from a variety of threats on the Internet today.
Sisk described the PDF exploit as "active" but "fairly limited" and said Microsoft is working around the clock to monitor the situation and get a patch out the door.
Microsoft's next scheduled patch release date is Tuesday November 13, 2007 -- a full 18 days away. An out-of-cycle patch could be forthcoming but this is unlikely unless the attacks intensify.
[ UPDATE: October 26, 2007 @ 12:30 PM ] Anti-virus vendor F-Secure is warning that malicious PDFs are currently being "massively spammed."