IE7 flaw announced
Further proving that Internet Explorer has holes a bus can drive through, another one was found recently linked to the Adobe Flaws announced last week. This particular flaw exists in the way IE uses third party programs and can lead to outsiders gaining remote access to a user’s desktop. The flaw was first flagged this July, when it was found that a false URI (Uniform Resource Identifier) can be invoked upon a launch of Firefox via IE using malware.
A set of things needs to exist in order to be vulnerable. First of all, the system must use IE 7 and have Windows XP or Server 2003 installed. Microsoft used this as somewhat of an excuse, saying that the exploitation of the flaw is unlikely.
IE 7 is not the only program succeptible to the vulnerability and the list includes Firefox version 2.0.0.5, Netscape Navigator version 9.0b2, mIRC version 6.3, Outlook Express 6 and Outlook 2000, the only relatively new program in the list being IE7. Hackers may exploit this vulnerability especially when opening PDF files online.
Unlike Adobe, who announced that they would patch its software as soon as possible (the patch date, alas, being the end of October), Microsoft failed to do so upon detection, instead they released an advisory, saying what most users know already : they should think twice before opening suspicious attachments and should update their security software. The company argues that the flaw is not their fault and that the ones to be held accountable are "other suppliers". Whether this is a good enough reason not to make their software secure is questionable.
Whatever the case, Microsoft has announced the release of a patch that fixes the problem, thus finally discarding their "it’s HIS fault" excuse for making potential victims out of their customers (which are pretty scarce already). The patch, however, is quite late so it is generally a race of who makes it first: the hackers with their exploits or Microsoft with it’s patching.
Recently commented malware