September 20, 2006
On September 19, 2006, Microsoft acknowledged that previously undocumented operating system vulnerability was discovered in the Vector Markup Language implementation, and that public release of exploit code has been confirmed. The Microsoft Advisory and the CVE Reference provide technical details.
Microsoft may not release a security update until Oct 10, so Case users are advised to keep their antivirus signatures updated, and follow the four workaorunds suggested in the Microsoft Advisory.
Additionally, users should consider using Firefox as a default browser.
Jesper's Blog indicates how OU administrators can take action in GPOs to prevent managed windows hosts from being compromised.
Unlike the attacks of the MS06-040 Server Service vulnerability which could be exploited remotely via the network, this vulnerability depends upon user interaction.
Posted by Thomas Siu at 03:23 PM