Microsoft plugs 28 security holes – zero-day vulnerability still unpatched

Microsoft released 8 security bulletins on the last Patch Tuesday this year. The available updates close 28 security holes in the products from Redmond. Some critical vulnerabilites affect the surface rendering library GDI, where having an exploit WMF graphic on the hard disk and browsing the folder with Windows Explorer may lead to full system compromise – even if you’re working as user with limited rights. The other patches correct errors in Internet Explorer, Windows Media Player, Microsoft Office, Visual Basic runtime libraries, Windows Search and Microsoft Sharepoint Server. Needless to say: Install the updates ASAP!

Much more alarming is a zero-day vulnerability in Internet Explorer 7 though. A proof-of-concept is circulating in chinese forums which exploits the way IE7 treats XML. The exploit downloads additional components which install a rootkit to hide the malware and contact chinese servers. We’re currently investigating the issue. Users of IE7 should disable Active Scripting in the browser configuration until details are clear and a patch or a workaround are out.

Dirk Knop
Technical Editor