Now comes word that two Microsoft products -- Outlook Express 6 and Outlook 2000 -- have joined the growing list of Windows applications that can be used as attack vectors.
According to Secunia's chief technology officer Thomas Kristensen, proof-of-concept code demonstrating the Outlook issue has been sent to Microsoft to prove that this is indeed a Windows vulnerability that's caused by a design change in Internet Explorer 7.
"Microsoft is now affected by [its] own design change," Kristensen said in an e-mail exchange." We hope that Microsoft now chooses the right path and creates a general fix for Windows [or] IE7 rather than start patching all their own applications and ask third party vendors to do the same," he added.
A spokesman for Redmond's security response team said the company is aware of what is described as "a potential issue in the way that Windows handles URLs passed in from other applications.
He also dropped a strong hint that this is something that might require a comprehensive Windows fix.
"Microsoft is continuing its investigation into this issue. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing an update or additional guidance for customers."
[UPDATE: The company has issued a formal security advisory with more information on the risks. The advisory does not include any pre-patch workarounds. ]
That's a far cry from this statement from Microsoft in July:
Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.
An updated advisory from Secunia lists the following applications as attack vectors on fully patched Windows XP SP2 and Windows Server 2003 SP2 systems (with IE 7 installed):
- Firefox version 18.104.22.168
- Netscape Navigator version 9.0b2
- mIRC version 6.3
- Adobe Reader/Acrobat version 8.1 and prior (when opening PDF files)
- Outlook Express 6 (e.g. when following specially crafted links in VCards)
- Outlook 2000 (e.g. when following specially crafted links in VCards)