Microsoft has yet to release a work-around or patch to fix a serious problem in Windows XP affecting any Web applications...
running on a PC with Internet Explorer 7.0 installed.
The Acrobat attack, called PDFex, was the third most virulent virus, according to monthly statistics from anti-virus security company Sophos.
"PDFex only started to circulate at the very end of the month, but still managed to account for more than 13% of all e-mailed malware during October. It was heavily spammed out between 26-28 October, and during that period, it accounted for a staggering two-thirds, or 66%, of all malware spread via e-mail," said Carole Theriault, senior security consultant at Sophos.
Microsoft's TechNet website said the problem was due the way Windows incorrectly handles specially crafted URLs. "Applications that pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability," Microsoft said. The vulnerability is present in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.
Microsoft warned that an attacker could attempt to leverage this vulnerability by embedding a specifically crafted URI or URL into an application and then convince a user to perform an action that would trigger the vulnerability. For example an attacker could convince a user to follow a link in an e-mail message which could allow arbitrary code to be run in the context of the logged on user.