Topic: Microsoft

SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning about a serious computer security vulnerability it hasn't fixed yet.

The vulnerability disclosed Monday affects Internet Explorer users whose computers run the Windows XP or Windows Server 2003 operating software.

It can allow hackers to remotely take control of victims' machines. The victims don't need to do anything to get infected except visit a Web site that's been hacked.

Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability. People are drawn to these sites by clicking a link in spam e-mail.

The first documented bug in the Windows 7 Release Candidate (build 7100) is a doozy.

Yesterday, Microsoft published Knowledge Base article 970789, which provides details of a problem that affects the 32-bit (x86) English-language version of Windows 7 build 7100. The problem, in short, is that the installer incorrectly sets access control lists (ACLs) on the root of the system drive. The longer version is described as follows:

In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (<var>%SystemDrive%</var>) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.