Forgot your password?
typodupeerror

New Zero-Day Vulnerability In Windows 231

Posted by Zonk
from the worst-day-of-the-week dept.
Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."
This discussion has been archived. No new comments can be posted.

New Zero-Day Vulnerability In Windows

Comments Filter:
  • by Shados (741919) on Sunday November 05, 2006 @12:37AM (#16722023)
    Yes and no. This flaw is specific to XMLHTTP, which is kind of developed independantly. You also can use XMLHTTP without using IE at all, thats why I say its independant. Its probably a buffer overflow, and not much to do about it in this case. So yes IE7 has a flaw, but there really isn't anything they could do in the current context. -HOWEVER-, while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing. The sandboxed IE7 is on Vista only, and I'm pretty damn sure this vulnerability is not an issue there. Anyway, so its more semantic here, but you could say "yes, IE7 has a vulnerability". however, its a little bit like if there was a vulnerability in KDELIB across the board...obviously that would touch Konqueror, no matter how secure Konquerer itself is... Can't excuse that one though. IE7 on XP is far, far from secure. More secure, but not secure.
  • by uhlume (597871) on Sunday November 05, 2006 @12:55AM (#16722127) Homepage
    Only by virtue of Microsoft's attempt to provide backward compatability for AJAX sites developed for older versions of IE.

    Prior to IE7, the XMLHTTP object, used to retrieve data from external sources without full-page reloads, was provided by an external ActiveX control. With IE7, Microsoft has implemented XMLHTTP natively in-browser, rendering the ActiveX control unneccesary -- however, it's still possible for older sites which haven't yet been rewritten to take advantage of native XMLHTTP support to load the ActiveX version.

    The good news is, if you don't mind breaking the many AJAX-reliant sites which still use the old-style XMLHTTP object, you can disable it completely through IE7's (and IE6SP2's) Add-on management.
  • by flyingfsck (986395) on Sunday November 05, 2006 @03:40AM (#16722879)
    From Secunia, the vulnerable versions are:
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Datacenter Server
    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows Server 2003 Datacenter Edition
    Microsoft Windows Server 2003 Enterprise Edition
    Microsoft Windows Server 2003 Standard Edition
    Microsoft Windows Server 2003 Web Edition
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Professional

If you're not part of the solution, you're part of the precipitate.

Working...