The online thugs are breaking into Windows via a new zero-day vulnerability in Windows XP, 2000 and Server 2003.
Zero-day loosely refers to an exploited hole which doesn't yet have a patch. This flaw is technically in a part of Windows called the XMLHTTP 4.0 ActiveX Control, but the attack is triggered when you view a poisoned Web page with Internet Explorer. IE calls up the ActiveX control to view the page, and the attacker nails the control with a buffer overflow. He can then download spyware, steal data, and generally have his way with your computer.
In its advisory, Microsoft doesn't list whether IE 7 users could be hit. But since the problem lies with part of Windows, and IE just acts as a pass-through for the attack, it's likely that IE 7 is affected as well. Though you might get a pop-up to authorize using the ActiveX control that you don't get with IE 6.
Security company Secunia rates this extremely critical, its strongest warning. HTML e-mails could also carry the attack, but in its advisory, Microsoft says that most Outlook versions should already be protected.
To protect IE, the Microsoft advisory lists a number of workarounds that disable the ActiveX control and/or Active Scripting, but also warns that using them could stop many pages from working or result in a bunch of annoying pop-ups asking for your ok. Or you could switch to an alternate browser like Firefox or Opera until Microsoft releases a patch.
Is there anything stable that Microsoft can create?
Is there anything stable that Microsoft or Windows can create?