On Wednesday, November 20, Microsoft announced a major vulnerability in its software that could potentially affect millions of the company's customers. The flaw dubbed critical was discovered in the key Microsoft Data Access Components (MDAC) used by Internet Information Services (ISS), Microsoft's web server software, and the world's predominant web browser - Internet Explorer.
The vulnerability, discovered by the California-based security company Foundstone, affects nearly all Microsoft operating systems (OS), as well as Internet Explorer versions 5.01, 5.5, and 6.0. Users of Windows XP are not exposed to the newly found flaw because the OS comes along with MDAC 2.7, which is reportedly unaffected. In addition, mitigating factors in the configuration of ISS web servers may prevent them from being open to attack.
Both Microsoft and Foundstone claim this is a critical vulnerability, which allows unauthorized execution of code. According to various security experts, the MDAC flaw may trigger another outbreak of Code Red and Nimda-like worms, which using similar vulnerabilities, spread automatically exploiting online servers.
Microsoft has released a free patch for all affected customers and strongly recommends its installation.
Meanwhile, the software giant has also released a cumulative Internet Explorer update that fixes six new vulnerabilities in the popular browsing software. Although not critical, the patch provides increased securities by preventing alleged information disclosure and IE failures.
