A couple of Microsoft Zero Day Vulnerabilities

For those still using Internet Explorer for regular web browsing, you need to read this:

From the "@RISK: The Consensus Security Vulnerability Alert - Week 50 2008"

(1) CRITICAL: Microsoft Internet Explorer Remote Code Execution Vulnerability (0day)

Affected:

Microsoft Internet Explorer 7 and possibly prior

Description: Microsoft Internet Explorer contains a remote code execution vulnerability in its handling of certain XML structures. A specially crafted web page can result in remote code execution with the privileges of the current user. This vulnerability is currently being exploited in the wild, and is reportedly not mitigated by the most recent Microsoft patches. No further technical details are publicly available for this vulnerability.

Status: Vendor confirmed, no updates available.

References:

Microsoft Security Advisory

http://www.microsoft.com/technet/security/advisory/961051.mspx

SecurityFocus BID

http://www.securityfocus.com/bid/32721

US-CERT Vulnerability Note

http://www.kb.cert.org/vuls/id/493881

Network World Article

http://www.networkworld.com/news/2008/120908-new-web-attack-exploits-unpatched.html?fsrc=rss-security

SecurityFocus BID

http://www.securityfocus.com/bid/32721

***********************************************

(2) CRITICAL: Microsoft WordPad Text Converter Remote Code Execution (0day)

Affected:

Microsoft Windows XP prior to Service Pack 3.

Description: Microsoft WordPad is a Rich Text Format (RTF) editor included by default in Microsoft Windows. It is the default viewer for RTF files. It contains a flaw in its Text Converter component. A specially crafted RTF document could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user. This vulnerability is being actively exploited in the wild and is reportedly not mitigated by the most recent set of Microsoft patches.

Status: Vendor confirmed, no updates available.

References:

Microsoft Security Advisory

http://www.microsoft.com/technet/security/advisory/960906.mspx

US-CERT Vulnerability Note

http://www.kb.cert.org/vuls/id/926676

SecurityFocus BID

http://www.securityfocus.com/bid/32718

So why aren't you using something else? If you didn't know, there's Chrome, Firefox, Opera, and Safari available for Windows users, among others. The excuse that "I need IE for site X" may be valid for site X, but, why are you using it for everything else?


-Bob