Microsoft Security Advisory 961051 Updated


This is Christopher Budd,

We’ve just posted a revision to Microsoft Security Advisory (961051) with the latest information from our ongoing work around this issue.

While the known attacks are only targeting Internet Explorer 7, we have found that the underlying vulnerability affects all currently supported versions of Internet Explorer. We have updated the advisory to include this information.

We’ve also added additional workarounds to the advisory and updated our guidance to recommend that you evaluate implementing two of the workarounds together for the most effective protection. Specifically, we’re recommending both setting the Internet zone security setting to High and using ACLs to disable Ole32db.dll. Our research so far has shown that these two steps together provide the most effective protections for this issue.

Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems. My colleagues over in the Microsoft Malware Protection Center (MMPC) have posted information about some of the malicious software they’ve detected in these attacks. We have also seen some trending that may indicate attempts to utilize SQL injection attacks against Websites to load attack code on those websites. If you’re a website operator, you might want to review Microsoft Security Advisory (954462) which provides information on tools you can use to analyze your Website’s code to help protect against SQL Injection attacks.

We are continuing our work on this issue including the development of a security update. We are also continuing our ongoing work with partners in the Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) to provide information that they can use to provide additional protections for customers.

Most importantly, we will continue to provide updated information as we have it through our Advisory and the MSRC weblog.



*This posting is provided “AS IS” with no warranties, and confers no rights.*