On the heels of our report of a possible new Microsoft Office zero-day yesterday comes news that there’s exploit code for some of the flaws Microsoft patched Tuesday.
Here’s an email alert I got from Symantec on the latest exploit activity:
“The DeepSight ThreatCon is currently at Level 2. Two exploits targeting the Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerabilities (BID 24426) have been published. These issues were patched by Microsoft on June 12, 2007 with security update MS07-033. One exploit is reported to achieve code execution on Windows XP SP2, while the other targets Windows 2000 SP4.”
These exploits should not surprise Windows admins. They appear instantly each month within hours and even minutes of Microsoft’s monthly patch rollout.
The obvious advice is to get those patches installed as soon as you can.