With Exploit Out, Microsoft Rushes IE 7 Fix

Using Internet Explorer 7 on Windows XP PCs remains risky. Plus: Grab Microsoft's Office and mail fixes, and beware of PDF attachments.

Microsoft finally stepped up work on a patch to address vulnerabilities in the way Internet Explorer 7 interacts with other programs. But with no fix available at press time, using IE 7 on Windows XP machines is risky business.

The problem lies in how IE 7 interacts, via its URI (uniform resource identifier) handler, with products such as Adobe's Acrobat Reader or Mozilla's Firefox. At first, Microsoft stonewalled, pointing a finger at Firefox; then, after acknowledging that the problem was its own, the company dragged its feet on a fix because no exploit existed. That changed when a PDF Trojan horse attack started making the rounds in October. Adobe patched Reader (see below), but that covers only one end of the worm hole.

Microsoft's patch has been in testing for a while and apparently will remain so for some time. My advice to Windows XP users: Stick with Firefox, version 2.0.0.6 and up, which already has a patch for the URI vulnerability. For more, read our updated information on the URI patch for IE 7.

The PDF attack that forced Microsoft's hand on the IE 7 fix described above also serves as a reminder: When it comes to unsolicited e-mail, trust no sender and no attachment, regardless of the file format.

The Trojan horse attack, which arrives in an infected Portable Document Format file, brings an old social-engineering ploy to PDFs, which malware filters usually don't vet. Carrying a subject line such as "invoice" or "bill", the tainted message's aim is to trick you into clicking. Don't.

Opening e-mail attachments is growing riskier. A Microsoft report found that the first half of 2007 saw a 150 percent increase in phishing scams and a 500 percent increase in malicious payloads. If you don't have the Adobe PDF fix yet, obtain the patch at Adobe's site.

Microsoft issued six security updates in its monthly Patch Tuesday round for October, including three "critical" patches. First on my list for a speedy fix installation: a memory corruption error vulnerability affecting users of Office 2000, Office XP, or Office 2004 for Mac.

Next up is a security hole present in Outlook Express 5.5 and 6, as well as in Windows Vista's Windows Mail.

Last on this "critical" list: a patch of Kodak Image Viewer for Windows 2000 users or people who upgraded from Windows 2000 Service Pack 4 to Windows XP. If you click a malicious link or visit a Web site with a poisoned URL (in a renegade banner ad, say), then you're in trouble.

For more details, read our discussion of this patch round.

Opera Software has patched two highly critical security flaws in its Web browser. If exploited, they could result in the complete takeover of your PC. To plug the holes, download the latest release of Opera.

Stuart J. Johnston, PC World

Subscribe to PC World Magazine