Microsoft Circles Wagons Over Windows Security Threat
The remote code execution vulnerability affects Windows XP and Windows Server 2003 with Internet Explorer 7 installed, and stems from the manner in which Windows handles certain types of URLs. Phishers and various other miscreants are actively exploiting the bug by tricking users into opening malicious PDF files.
On Thursday, Bill Sisk, a member of the Microsoft's Security Response Center communications team, said Windows users who have applied the patches that Adobe issued earlier this week for Acrobat and Reader are protected from that particular exploit. But because the flaw affects a core part of Windows known as the ShellExecute function, "these third party updates do not resolve the vulnerability -- they just close an attack vector," Sisk wrote.
Steven Reese, security practice manager at Nexus Integration Services, Valencia, Calif., said Microsoft's methodical approach to fixing security vulnerabilities and their practice of patching on a regular monthly cycle detracts from the vendor's ability to respond quickly in these types of situations.
"The hacking community has realized the advantages of releasing exploits the day after the release of the patches. Microsoft isn't set up to dynamically react to threats because of the method they've chosen," said Reese.
In a sign of the severity of the threat, Microsoft has launched its Software Security Incident Response Plan (SSIRP), a global effort in which the vendor's own product teams and researchers team up with partners and external consultants to develop patches for serious security vulnerabilities.
In an ironic coincidence, the Microsoft Malware Protection Center, which oversees development of the anti-malware engine in Forefront, earlier this week released the third edition of its Security Intelligence Report, which covers trends in security threats during the first six months of the year.
Microsoft researchers reported that over the past two years, working exploit code has been made available for only 26 percent of vulnerabilities, and is also less prevalent when it comes to flaws in newer software products.