Microsoft patched two vulnerabilities on Tuesday, its regularly scheduled patch day, fixing a critical flaw in the way the way that the Windows Shell handles calls to other applications from Internet Explorer 7.
The flaw, which is currently being used by attackers to compromise systems, could be exploited through Internet Explorer 7 by convincing the user to click on a malicious uniform resource identifier (URI) link or through e-mail, if the user opens an attachment. Two weeks ago, Adobe released a patch that prevents its Acrobat Reader from being used as a vector for the attack.
"Applications that take URIs as input from untrusted sources such as attachments in e-mail, documents, or data from the network assuming it will be safe, are exposed to this vulnerability," Microsoft said in its advisory. "Under specific circumstances, processing specially crafted URI input could allow arbitrary code to be executed."
Microsoft also patched a vulnerability in its domain name service (DNS) software that could allow an attacker the ability to reroute a victim's Internet requests to a server of their choosing. Microsoft rated the DNS spoofing issue as Important.
Windows users can download the software updates through Microsoft's Windows Update service.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos