The Tekblog

On November 11th 2008 Microsoft released an advisory (MS08-068) detailing a vulnerability present in all currently supported versions of Internet Explorer – including beta versions of IE8. The exploitation technique is referred to as "SMB Reflection". There have been widespread reports of active exploitation of this vulnerability via Internet Explorer – including reports that the UK Postal Service’s website had been compromised, thusly compromising all of its visitors.

Sadly, the technique was first demonstrated in 2001 at @tlantacon, a hacker convention. Microsoft was aware of the vulnerability but there were so many mitigating factors and patching it would have broken backwards compatibility with specific applications, they decided to leave it unpatched. This recently released patch essentially further mitigates the vulnerability without truly "fixing" it. As this article is not meant as a technical dissertation on the vulnerability, if you want more technical information about this vulnerability and the recent patch, I suggest this article.

At Teklogic, we developed scripts to deploy this patch to our client base the day it was released. If you have an unpatched home PC, or know someone that does, you should get on over to Windows Update and ensure your system is up-to-date with the latest patches and Service Packs.

This is just more fodder for all of the Mozilla Firefox zealots. Although the now, very mature, browsing software has not been without its own issues lately – just proving that the only absolutely "secure" system is one that is unplugged and not in use.