A day after Patch Tuesday, Microsoft finds itself investigating reports of both a zero-day flaw affecting Internet Explorer 7 and a vulnerability in the WordPad Text Converter. Microsoft has not offered specifics as to when patches or security updates to fix the issues would be available.
A day after December's Patch Tuesday release Dec. 9, Microsoft
investigating reports of a zero-day bug affecting Internet Explorer 7 as
well as attacks against an unpatched
flaw in the WordPad Text Converter.
According to Vupen Security, exploit code for the IE flaw takes advantage of
an issue with the parsing of malformed X M L content. However researchers
said the problem affects both the X M L parsing engine of IE 7
and the library MSHTML.DLL.
"The vulnerability depends on how certain elements of HTML pages are
terminated and therefore could potentially affect not only X M L, but also other
objects handled by the browser," Elia Florio, a security researcher at
Symantec, wrote in a blog post. "This means that attackers may start using
different attack vectors in the future to exploit this vulnerability, but at
the moment it seems that this recent exploit, which has been publicly released
on several Chinese forums, only uses the X M L elements and tags."
should Obama do about cyber-crime? Click here to read more.
The vulnerability, Florio continued, is caused by a function that
incorrectly frees a certain region of heap memory that allows an attacker to
control the EAX register with a specially crafted Unicode URL that includes the
"0x0A0A" value in it.
"Because of the nature of this attack, it does not depend by any
specific ActiveX control, so this time we can't tell you to disable or set the
KillBit for a specific CLSID," Florio wrote. "However, the attack
could help to somewhat mitigate the risk."
Attackers also have their sights set on a vulnerability in the WordPad Text
Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP SP2, and
Windows Server 2003 SP1 and SP2. According to Microsoft's advisory, Windows XP
SP3, Windows Vista and Windows Server 2008 are not affected because those
operating systems do not contain the vulnerable code.
"At this time, we are aware only of limited and targeted attacks that
attempt to use this vulnerability," the advisory stated. "For an
attack to be successful, a user must open an attachment that is sent in an
The advisory also said, "When Microsoft Office Word is installed, Word
97 documents are by default opened using Microsoft Office Word, which is not
affected by this vulnerability. However, an attacker could rename a malicious
file to have a Windows Write (.wri) extension, which would still invoke
WordPad. This file type can be blocked at the Internet perimeter."
Microsoft did not offer specifics on when patches or
updates to address the issues would be available.