When Secunia calls a Windows security update “extremely critical” you know a serious vulnerability is being patched. The Windows security community has been abuzz since last week when a number of remote code execution vulnerabilities originally thought limited only to IE 7 turned out to affect other IE versions, and to involve general XML vulnerabilities as well. For more information on the update see “Microsoft Security Advisory (961051) Vulnerability in Internet Explorer Could Allow Remote Code Execution” and “Microsoft Security Bulletin MS08-078 – Critical.”
Security Bulletin MS08-078 specifically mentions IE 5, 6, and 7, as well as Windows 2000, Windows XP, and Windows Vista on the desktop front, plus Windows Server 2003 and Windows Server 2008, in both 32- and 64-bit versions (where applicable). This update is also associated with Pointer Reference Memory Corruption Vulnerability – CVE-2008-4844 from the Common Vulnerability and Exploits database.
The nature of the vulnerability is called “Remote Code Execution” which essentially means that an attacker can take over a system and run any code he or she wishes to at a very high level of privilege. Please visit Windows Update and download this security fix for testing and evaluation as soon as possible. Zero-day exploits have already been reported, and it is regarded as an active and hostile threat.