With Exploit Out, Microsoft Rushes IE 7 Fix

Illustration: Harry Campbell

Microsoft finally stepped up work on a patch to address vulnerabilities in the way Internet Explorer 7 interacts with other programs. But with no fix available at press time, using IE 7 on Windows XP machines is risky business.

The problem lies in how IE 7 interacts, via its URI (uniform resource identifier) handler, with products such as Adobe's Acrobat Reader or Mozilla's Firefox. At first, Microsoft stonewalled, pointing a finger at Firefox; then, after acknowledging that the problem was its own, the company dragged its feet on a fix because no exploit existed. That changed when a PDF Trojan horse attack started making the rounds in October. Adobe patched Reader (see below), but that covers only one end of the worm hole.

Microsoft's patch has been in testing for a while and apparently will remain so for some time. My advice to Windows XP users: Stick with Firefox, version 2.0.0.6 and up, which already has a patch for the URI vulnerability. For more, read our updated information on the URI patch for IE 7.

PDF Joins the Risky List

The PDF attack that forced Microsoft's hand on the IE 7 fix described above also serves as a reminder: When it comes to unsolicited e-mail, trust no sender and no attachment, regardless of the file format.

The Trojan horse attack, which arrives in an infected Portable Document Format file, brings an old social-engineering ploy to PDFs, which malware filters usually don't vet. Carrying a subject line such as "invoice" or "bill", the tainted message's aim is to trick you into clicking. Don't.

Opening e-mail attachments is growing riskier. A Microsoft report found that the first half of 2007 saw a 150 percent increase in phishing scams and a 500 percent increase in malicious payloads. If you don't have the Adobe PDF fix yet, obtain the patch at Adobe's site.