Another zero-day threat hits Windows

Sample code that exploits a yet-to-be-fixed Windows flaw is circulating. Microsoft plans to deal with it on the next Patch Tuesday.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

Sept. 29, 2006 5:10 p.m. PT

2 min read

Sample code is circulating on the Internet for an attack using a flaw that Microsoft knows about, but has not yet fixed.

On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.

"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."

While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.

Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.

On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.

The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.

Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said.