Microsoft warns of new Windows exploit
Friday, May 29, 2009
Microsoft is warning users of a critical web security vulnerability in Windows 2000, Windows XP and Windows Server 2003 that has been exploited in the wild. If left unfixed, the flaw could allow hackers to take control of PCs.
The vulnerability is in Microsoft DirectX - the Windows subsystem used for streaming video - which hackers have exploited using malicious QuickTime video files, according to a posting on the Microsoft Security Response Center (MSRC) blog.
"An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in email," the post said.
In a web-based attack scenario, an attacker would have to convince users to visit a malicious website. After a user clicks on a link to the site, they would be prompted to perform several actions. "An attack could only occur after they performed these actions," Microsoft said.
MSRC said the vulnerability is not in Apple's QuickTime and the vulnerable code was removed in crafting Windows Vista, Windows 7 and Windows Server 2008.
Microsoft said in a security bulletin it is aware of limited, active attacks that use the exploit and the company has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate the issue.
Details of workarounds are posted at Microsoft's security research and defense blog.
Related News:
UK cops arrest two in Zbot Trojan case - 11.19.2009
The British Metropolitan Police took two suspected cyber criminals into custody earlier this month in connection with an investigation into the Zbot banking Trojan.
Facebook shakes up privacy policy in response to criticism - 11.19.2009
After a week-long comment period in which 7,000 Facebook users voiced their opinions, the giant social media network announced that it would overhaul and simplify its privacy policy.
Domain registrar VeriSign will receive "major security update" by 2011 - 11.19.2009
A well-known security vulnerability in the way .com and .net websites process DNS values - the way alphanumeric website names are translated into numeric web addresses - will be fixed, but not until 2011, according to a report from tech news website ZDNet.
Malware attack targeting fans of Twilight series - 11.18.2009
As with many recent hot news trends, the upcoming release of the second movie based on Stephenie Meyer's Twilight books has attracted the attention not just of the vampire wannabes, but of actual cyber criminals as well.
Giant black-hat SEO campaign funnels victims to scareware sites - 11.18.2009
Security researchers say that cyber criminals have conducted a large-scale campaign to influence Google results, pushing malware-spreading sites higher on the list and dropping legitimate results to the bottom.
|
