You may have heard of Microsoft Update’s debacle past Tuesday, with two critical Windows vulnerabilities disclosed when it was too late for this patching cycle:
- A flaw affecting the Word97 converter for WordPad on Windows XP SP2 and below, which is exploited by enticing users into opening a document with “.wri” file extension.
- A juicier bug in Internet Explorer
7’s XML parser, any version, related to data binding, affecting all recent Windows operating systems up to Windows 2008 and Vista SP1. It is exploited automatically, without user intervention, to execute arbitrary code from maliciousweb sites.
I said “is exploited“, rather than “can be exploited”, because both these 0 day vulnerabilities are being actively exploited in the wild.
I also deleted “malicious” near “web sites”, because exploits for the latter vulnerability are being massively infiltrated inside legit web sites using automated SQL injection attacks.
Give yourself a Christmas gift: if there’s a best moment for switching to a safe or to a safer browser, that’s now.