You may have heard of Microsoft Update’s debacle past Tuesday, with two critical Windows vulnerabilities disclosed when it was too late for this patching cycle:
- A flaw affecting the Word97 converter for WordPad on Windows XP SP2 and below, which is exploited by enticing users into opening a document with “.wri” file extension.
- A juicier bug in Internet Explorer
7’s XML parser, any version, related to data binding, affecting all recent Windows operating systems up to Windows 2008 and Vista SP1. It is exploited automatically, without user intervention, to execute arbitrary code frommaliciousweb sites.
I said “is exploited“, rather than “can be exploited”, because both these 0 day vulnerabilities are being actively exploited in the wild.
I also deleted “malicious” near “web sites”, because exploits for the latter vulnerability are being massively infiltrated inside legit web sites using automated SQL injection attacks.
Give yourself a Christmas gift: if there’s a best moment for switching to a safe or to a safer browser, that’s now.
December 11th, 2008 at 5:47 pm
I just posted a warning to IE Tab users in the MozillaZine Tech forum. Thank you for the heads up.
December 12th, 2008 at 6:09 pm
[…] Escape From IE, Now! 12 12 2008 […]
December 16th, 2008 at 10:29 pm
Preaching to the choir! But thanks. As I read this via my RSS, I was just in the process of rooting out the remains of IE on our computer…AGAIN, which someone in my family RE-installed…after all my work to get rid of it! Now, it’s been running in silently, behind Firefox, screwing up everything. Ugh. Even WITHOUT all the bugs, etc., it’s a pain in and of itself.
December 17th, 2008 at 4:29 pm
[…] or disclosures to maximize their impact. Zero day critical vulnerabilities in three different Microsoft products have been disclosed immediately after last “black Tuesday”: is this really a […]