Microsoft released a new patch for Windows that include two fixes and one critical in relation to security. However, one vulnerability that was expected to be patched was left alone, raising concerns in the internet security community.
Security Bulletin MS07-061 fixed the critical vulnerability patched this month, a remote code execution in Windows XP and Windows Server 2003 that had been known about since June, and which was being used to exploit users from the Web.
The exploit was made public last month and has already been widely exploited, most notably on a collection of Websites registered in Russia.
The problem, called the URI Handling Vulnerability, actively allows an attacker to eventually take total control over an affected computer when a victim visits an infected Web site. While the patch was made for Windows, only Internet Explorer 7 had been infected thus far.
The second patch, Security Bulletin MS07-062, fixes a DNS spoofing problem in Windows 2000 Server and Windows Server 2003. Microsoft said the problem had not been publicly disclosed, and is not being actively exploited.
Windows has two other vulnerabilities that are actively exploited, according to eEye Digital Security, which lists past and current security problems on its Zero-Day Tracker. While both of the problems have been disclosed for well over a year, neither of them are critical in nature, according to eEye. And, neither of them have been fixed.