[ISN] Hackers seize on newfound flaw in Windows

[InfoSec News]

http://seattlepi.nwsource.com/business/253931_msftflaw30.html

By ROCHELLE GARNER
BLOOMBERG NEWS
December 30, 2005

A newfound flaw in Microsoft Corp.'s Windows operating system is being
used by hackers to install malicious code on personal computers.

Users can infect their computers by visiting certain Web sites that
are able to exploit some Windows-based applications, Internet security
company Panda Software said. It called the discovery "one of the most
serious vulnerabilities recently detected."

The flaw in the world's most popular software leaves PCs open to
adware and spyware as well as Trojans, which can hide damaging
programs.

Internet Explorer, Outlook and the Windows Picture and Fax viewer are
used to insert the potentially harmful code, said Patrick Hinojosa,
chief technology officer of Panda.

"Because this exploits particular programs on Windows, rather than
Windows itself, your machine can get infected simply by visiting a Web
site that's set up to exploit the flaw," Hinojosa said.

Microsoft is investigating reports of the problem, the company said on
its Web site. It hasn't yet developed a security patch, and recommends
that customers use caution and keep antivirus software up to date.

Panda found cases of infection almost immediately after the flaw was
first reported Tuesday, Hinojosa said.

Web sites exploiting the security lapse include toolbarbiz.biz and
buytoolbar.biz, Panda said. The sites are set up to install malicious
code by using the way applications process Windows Metafiles to show
images.

Microsoft has been working to improve the security of Windows, which
has come under attack from more than 17,000 computer viruses and
worms.

The latest vulnerability was found in Windows XP, Windows 2000 and
Windows NT systems. Panda said it is still testing Windows 98 for the
flaw.