Earlier today, November 13, 2007, Microsoft released a critical update for Windows XP and Server 2003 systems.  This update addresses a flaw in validating and handling URIs (Universal Resource Identifiers) within the shell32.dll file.  This flaw could allow an attacker to run arbitrary code on systems without this patch by crafting a malicious URI and convincing end users to access it via a web browser, email client, or other applications.

Microsoft has seen active exploitation of this vulnerability using Internet Explorer 7 as the conduit.  However, as just about every Windows-based application loads shell32.dll, many other applications may serve as a conduit for attack.

University IT Services (formerly Computing Services) recommends that the update be applied as soon as possible via Microsoft Update or directly from the Microsoft Security bulletin.  More technical information is available at http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx