Hackers have published two more attacks on Windows, bringing the total to four this week.
One of these attacks exploits a critical vulnerability in the way that Windows processes files saved in the Windows Metafile graphics format, and it can be used to crash a system. Microsoft fixed this Metafile bug in its MS05-053 Security Update, released 8 November, so customers who have not yet applied this patch are the only ones at risk from this new attack.
The second attack targets a flaw in the Microsoft Distributed Transaction Coordinator (MSDTC), which was patched in October's MS05-051 Security Update. MSDTC is a component of the operating system that is commonly used by database software to help manage transactions.
This code appears to be an update to some earlier attack code, which was extremely buggy, according to David Marcus, security research and communications manager with McAfee. "The first exploit [the hacker] did of that code, it only worked on a bizarre Russian build of Windows 2000," he said. "The second revision seems to be a bit more stable."
"We definitely see that one as a problem, and that's definitely causing a lot of chatter," Marcus said. "The underground is latching on to this thing and they're figuring out some way to turn this into a worm candidate."
Most security experts expect Microsoft to patch this IE flaw by the time it releases its next security update on 13 December. To make things easier for systems administrators, Microsoft normally releases security patches on the second Tuesday of every month, but Marcus believes that the publicity surrounding the matter may prompt Microsoft to act sooner.
"I think for their own good public relations, they'll eventually release a patch out of cycle," he said. "They're getting too much publicity."