Other MS patch news as well as a Yahoo vulnerability?
Or lack of currently available patch as the case may be. From the previous link it appears that there was at least one previously announced vulnerability that was not addressed in the recent patch day from Microsoft. From MS…
“this is a DoS only issue that was not addressed in MS06-040, but will be addressed in a bulletin.”
Not timeline yet on when… There are also public exploits out for (possibly related to MS06-046) which is related to the MS Help system.
There were also apparently problems with MS06-042 and there is a hotfix for those issues. (MS has had a rough year with updates it seems like there’s been at least one “problem child” fix each month.) This one was related to IE crashing on Windows 2000 SP4 and Win XP SP 1 It ALSO seemed to only affect html 1.1 encoded pages that involved compression *(that seems to be an odd enough combination I can imagine WHY that one got missed.)
There has been another bug making the rounds going by the name wgareg.exe. The previous link has suggestions on identifying and cleaning up the infection.
And finally, there may be another yahoo mail vulnerability. According to the description a malicious email could be opened by the victim and the “users cookie” would be sent back to the attacker. According to the description the malicious code would be in an attached html file and the victim did not need to view or download the attachmnet. This affected Internet Explorer according to the article.
Apparently, after retrieving the cookie, the attacker is able to log in to the victims yahoo mailbox, but cannot change the password (perhaps the cookie doesn’t disclose the password – just the active session?) It sounds like a session hijack more than a password crack. Yahoo has said that they are aware of the issue and will be rolling out a fix.