With Exploits Out, Microsoft's Urgency Grows

It's funny sometimes how all roads lead to Rome ? err, Microsoft.

Wednesday, we talked about active attacks in the wild that take advantage of a group of holes in Adobe's Acrobat/Reader that the company had patched just the day before. This involved doctored Portable Document Format (PDF) files that, once clicked to open, could completely compromise your PC.

The Adobe Acrobat/Reader update should protect you from those attacks, since the current batch are targeted at folks that have the reader installed on their PCs ? which I'm willing to bet is many of us, even if we don't realize it.

But, as it turns out, that patches only one end of the worm hole.

Now, Microsoft has updated a security advisory it issued in mid-October regarding the way that Internet Explorer 7 interacts with other products like Acrobat/Reader or Firefox. That has to do with what's called a uniform resource identifier (URI) handler in IE. At that time, I said it was lucky that no attacks were occurring in the wild yet . . . so with the advent this week of the Adobe exploit, you can scratch that. (And remember that you're at risk if you're running Windows XP with IE7 and have an unpatched copy of Acrobat/Reader.)

Like Adobe, the Mozilla folks also fixed Firefox's end of things ? back in July, as it turns out.

What I'm getting at here is that patching the products that use IE7's URI handler blocks attacks via each individual product that is patched. But it leaves open the hole at Microsoft's end of things that causes the problem in the first place ? and to its credit, Microsoft is owning up to it. But why is it taking so long?

Here's a discussion from the company's Security Response Center Blog:

"Third party applications are currently being used as the vector for attack and customers who have applied the security updates available from these vendors are currently protected. However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability ? they just close an attack vector .... Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues."

So there you've got it, folks. The patch for Microsoft's end of things has already been in testing for a while and apparently will be for a while yet. Given that active attacks have surfaced now, however, I suspect Microsoft won't wait until the next "Patch Tuesday" to roll it out ? if it's done before then.

Comments

Post a comment Post a comment

0 / 1000 max characters