Summary:  Microsoft has recently issued an update to its security advisory 906267. This advisory addresses a possible vulnerability in its Internet Explorer product. Computers that utilize a particular COM object (Msdds.dll) are the only systems believed to be potentially vulnerable to this issue. Msdds.dll is not commonly installed on Windows systems but it is associated with the initial release of Microsoft Visual Studio 2002. Computers running Microsoft Office XP Service Pack 3 also have the potential for vulnerability but only if two additional dll files (Msvcr70.dll and Msvscp70.dll) are installed in a directory that is accessible to Internet Explorer processes. An exploit for this vulnerability has been publicly released but at the time of this writing the exploit (and/or any variants) has not been observed/reported to be circulating in the wild. Microsoft reports that it is actively investigating this issue and may release an update to address it in the near future.

Recommended Actions:  As part of its most recent update to the security advisory Microsoft is recommending that users of the initial release of Microsoft Visual Studio 2002 apply Microsoft Visual Studio 2002 Service Pack 1 (link provided below). As a preventive measure, System Administrators and Desktop Support Personnel that support users of Visual Studio 2002 and/or Office XP Service Pack 3 are encouraged to read the vendor's Security Advisory page (link provided below) for more information on the issue and (if appropriate) apply the Service Pack at their earliest convenience.

ITS Actions:  ITS is taking no specific additional actions to address this vulnerability. An update will be issued if this situation changes.

Resources:
Microsoft Security Advisory 906267
Microsoft Visual Studio Service Packs