Microsoft Short On Change

Patch Wednesday Skips Critical IE vulnerability

As Microsoft’s December patch rolls by , nicely bedecked with updates for security flaws that have plagued computers for the past few weeks, the astute observer might note the conspicious absence of a patch for a new flaw in the way Internet Explorer 7 parses XML that can lead to total compromise of affected systems.

Exploit code for this flaw exists in the wild in the form of malicious JavaScript on (mostly) chinese malware-spreading websites. The flaw was published by Chinese IT security outfit Knownsec.


Non-chinese-reading readers are advised to use the google-translated version we’ve provided a link to here.


The exploit is used to download and execute a known Trojan, so most AV users are relatively safe for the moment. However, the minute the payload is changed, the picture will become completely different. Remains to be seen if Microsoft will issue an out-of-cycle patch or wait for the usual month before acknowledging and fixing the issue.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.