Microsoft yet to patch XP security flaw


Microsoft yet to patch XP security flaw

Cliff Saran

Microsoft has yet to release a work-around or patch to fix a serious problem in Windows XP affecting any Web applications running on a PC with Internet Explorer 7.0 installed.

Hackers have already successfully used the flaw to target Acrobat 8. Security experts have warned that the flaw could impact applications such as Skype and Firefox.

The Acrobat attack, called PDFex, was the third most virulent virus, according to monthly statistics from anti-virus security company Sophos.

"PDFex only started to circulate at the very end of the month, but still managed to account for more than 13% of all e-mailed malware during October. It was heavily spammed out between 26-28 October, and during that period, it accounted for a staggering two-thirds, or 66%, of all malware spread via e-mail," said Carole Theriault, senior security consultant at Sophos.

Microsoft's TechNet website said the problem was due the way Windows incorrectly handles specially crafted URLs. "Applications that pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability," Microsoft said. The vulnerability is present in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.

Microsoft warned that an attacker could attempt to leverage this vulnerability by embedding a specifically crafted URI or URL into an application and then convince a user to perform an action that would trigger the vulnerability. For example an attacker could convince a user to follow a link in an e-mail message which could allow arbitrary code to be run in the context of the logged on user.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy