Two new, high risk flaws have been reported in Microsoft Internet Explorer and Outlook, according to eEye, a security firm which first discovered the laws in mid-to-late-March.
Microsoft said it was investigating the reported flaws but added they had no customer reports of attacks by way of those flaws.
The newly discovered IE and Outlook flaws are believed to affect Windows NT 4, Windows 2000, and Windows XP, though Microsoft said it was uncertain whether Windows 2003 was affected as well.
One flaw, found in mid-March, was in default installations for IE and Outlook and is believed able to allow malicious code to execute with little or no user interaction, while the second flaw, found toward the end of March, likewise appeared in default installations, but details weren't fully confirmed except to say that attacks could occur through Web browsers or Outlook clients.
"If someone found these exploits, they could break into your computer through a Web page, or by sending an e-mail," said eEye co-founder and chief hacking officer Marc Maiffret as the company disclosed what they discovered. "They could even leverage the vulnerability through a chat client."
Grumbling continues over whether Microsoft takes too long to confirm and patch security vulnerabilities, with some complaining the software giant takes as long as a year for some fixes while the industry standard is two months. "Part of it is the way they look into vulnerabilities," Maiffret said, "but another part of it is marketing, so they can say they've issued fewer security bulletins and so they're making things more secure."
The news arrived at a time when a new study, by Canadian asset trackers AssetMatrix, determined that only a quarter of businesses surveyed have been running Windows XP Service Pack 2, despite Microsoft's urging business clients to upgrade to the pack since it was released last summer.
AssetMatrix said 24 percent of about 136,000 corporate computers they studied had upgraded to Service Pack 2, saying most of those weren't blocking it but just hadn't upgraded in large numbers. Of 207 companies studied that used XP on ten or more machines, AssetMatrix said, 40 percent blocked SP2 universally while 8 percent "forced" SP2 on all XP machines.
"Very few companies have drawn the line in the sand," said AssetMatrix managing director Steve O'Halloran. "A good deal of the companies have a mixed environment."
