Attackers are using a new, unpatched security flaw in Internet
Explorer to compromise machines running a number of versions of
Windows, including Vista.
Microsoft has confirmed the attacks that affect Internet
Explorer 7, Vista and other versions of the operating system in a
security
advisory .
"Microsoft is investigating new public reports of targeted
attacks exploiting a vulnerability in the way Windows handles
animated cursor (.ani) files," the company said in its advisory.
"In order for this attack to be carried out, a user must either
visit a Web site that contains a Web page that is used to exploit
the vulnerability or view a specially crafted email message or
email attachment sent to them by an attacker."
The French Security Incident Response Team (FrSIRT) said in an
advisory that the problem is a memory
corruption error that surfaces when the operating system renders
malformed cursors, animated cursors or icons. Attackers could
exploit this to run malicious commands on a victim's machine. The
flaw affects:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 2
- Windows XP 64-Bit Edition Version 2003 (Itanium)
- Windows XP Professional x64 Edition
- Windows Server 2003
- Windows Server 2003 (Itanium)
- Windows Server 2003 Service Pack 1
- Windows Server 2003 SP1 (Itanium)
- Windows Server 2003 x64 Edition
- Windows Vista
- Internet Explorer 6
- Internet Explorer 7
"As a best practice, users should always exercise extreme
caution when opening or viewing unsolicited emails and email
attachments from both known and unknown sources," Microsoft said,
adding that Windows Live OneCare's safety scanner has been updated
to remove any malware that exploits the flaw.
Microsoft acknowledged last week that it's investigating reports
of
another flaw in Vista.
That flaw reportedly affects Windows Mail on all versions of
Vista. Cupertino, Calif.-based antivirus giant Symantec Corp. said
attackers could potentially exploit a design flaw to delete files
or shut down the victim's computer.