Exploits Hot on the Heels of Microsoft's Patches

Exploits appeared within hours for two of the bugs that Microsoft Corp. fixed Tuesday. Microsoft's June set of security updates patched 15 separate vulnerabilities, nine of them labeled "critical," the company's most serious threat rating. Exploit code for two of the bugs -- one in Internet Explorer (IE), the other in Windows XP, Windows 2000 and Windows Server 2003 -- have been posted to the Bugtraq and Full-disclosure mailing lists by researchers.

A. Micalizzi went public with a pair of exploits -- one successful against Windows 2000, the other against Windows XP -- that leverage one of the six IE bugs patched Tuesday. A bug -- actually two because both the ActiveListen and ActiveVoice ActiveX controls are flawed -- was tagged "critical" in IE6 on Windows 2000 and Windows XP SP2, and "critical" in IE7 on both XP SP2 and Windows Vista. ActiveListen and ActiveVoice provide speech processing and text-to-speech to the browser.

View: The full story
News source: PCWorld

Report a problem with article
Previous Story

After eBay pulls ads, Google cancels offending party

Next Story

Linspire invites dirty uncle Microsoft over for patent party

2 Comments

Commenting is disabled on this article.

markjensen said,
Hmmm.. Sounds like what happened to Apple right after they released Safari for Windows.

No, the guys looked at the bug that MS fixed and created an exploit based on that bug. By revealing what they fixed, MS gave them clues on where the bug lies. They want to take advantage of the window that exists when the patch is announced and when people apply those patches. That's why it is normal for the ThreatCon security status indicator to be set at "Level 2: Elevated," after the patches are revealed.