Microsoft has yet to release a work-around or patch to
fix a serious problem inWindows XPaffecting any Web
applications running on a PC with Internet Explorer 7.0
installed.
Hackers have already successfully used the flaw to target
Acrobat 8. Security experts have warned that the flaw could
impact applications such as
Skype and
Firefox.
The Acrobat attack, called PDFex, was the third most virulent
virus, according to monthly statistics from anti-virus security
company
Sophos.
"PDFex only started to circulate at the very end of the month,
but still managed to account for more than 13% of all e-mailed
malware during October. It was heavily spammed out between 26-28
October, and during that period, it accounted for a staggering
two-thirds, or 66%, of all malware spread via e-mail," said Carole
Theriault, senior security consultant at Sophos.
Microsoft's
TechNet website said the problem was due the way Windows
incorrectly handles specially crafted URLs. "Applications that pass
un-validated URIs or URLs to Windows can be leveraged to exploit
this vulnerability," Microsoft said. The vulnerability is present
in supported editions of Windows XP and Windows Server 2003 with
Windows Internet Explorer 7 installed.
Microsoft warned that an attacker could attempt to leverage this
vulnerability by embedding a specifically crafted URI or URL into
an application and then convince a user to perform an action that
would trigger the vulnerability. For example an attacker could
convince a user to follow a link in an e-mail message which could
allow arbitrary code to be run in the context of the logged on
user.