Microsoft has finally shipped a comprehensive fix for a critical URI handling vulnerability that exposes Windows users to drive-by malware attacks.
The patch, available in the MS07-061 bulletin, covers a remote code execution vulnerability in the way that the Windows shell handles specially crafted URIs that are passed to it.
This is the same bug that was being exploited via rigged PDF files more than a month ago.
If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.
The Windows shell in Windows Vista is not affected by this vulnerability.
Microsoft said it has not identified any way to exploit this vulnerability on systems using Internet Explorer 6 but, as a defense-in-depth measure, the patch is being distributed all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed.
A second bulletin in this month's Patch Tuesday (MS07-062) provides cover for a spoofing vulnerability in Windows DNS Servers.
From the bulletin:
The Windows DNS Server service doesn’t provide enough entropy in its random choice of transaction values when it sends out queries to upstream DNS servers. An attacker who successfully exploited this vulnerability could gain information about the DNS server’s transaction IDs, and use that information to send malicious responses to DNS requests, thus redirecting Internet traffic from legitimate locations to an address of the attacker’s choice.
The DNS spoofing flaw carries an "important" rating.