RSSMicrosoft Investigating New IE Flaw
By Ed Oswald | Published August 18, 2005, 11:35 AM
A new vulnerability has been discovered within Internet Explorer 6 for Windows XP that could open up computers to attack through the execution of arbitrary code from a malicious Web site.
What's worse is that code to exploit the vulnerability is already available on the Internet, according to the French Security Incident Response Team. The group discovered the flaw and disclosed it on Wednesday.
The security hole is created through a memory corruption error when executing an instance of the msdds.dll object as an ActiveX control. A hacker could theoretically use the DLL to take control of an affected user's computer after a Web page designed to exploit the vulnerability is opened.
Microsoft issued its standard statement in response to the discovery and disclosure of the flaw, saying it was "aggressively investigating" the issue. While it has not been made aware of any attacks so far exploiting the vulnerability, Microsoft said would work towards releasing a patch as soon as possible.
It is unknown whether FrSIRT took appropriate measures to alert Microsoft, as the Redmond company said it was "concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."
Also unknown is how common the DLL file is on machines. So far, the group has only found the file included with Microsoft's Visual Studio program, but they are continuing to investigate whether it may also be included in more common software.
Thursday's disclosure of a new vulnerability in Internet Explorer comes just a week and a half after Microsoft patched critical flaws in the browser that could have resulted in similar consequences.
According to security researchers, several variants of an exploit for those flaws are currently circulating on the Internet.
This only exploits older versions of the DLL... if you've kept up with Windows and Office updates, chances are you're fine. If you have 7.10.x version of MSDDS.DLL, you're not affected. Most likely cause of not being up-to-date is A) Not having the latest .NET Framework installed, B) Not having the latest Office or Visual Studio Service Pack installed.
Score: 0
|what's New updating Windows once a month like we used to do with new virus signitures
I wonder how long it will be before we are updating windows Like every hour ,as we do with our antivirus.
Score: 0
|How, really, is this related to the 'beta news scene'? It ain't a beta, and it's barely news (another vulnerability found...happens daily...big deal).
feh...
Score: 0
|There's stories on here all the time that don't necessarily have anything to do with betas, but that doesn't mean they aren't news.
Additionally, just because a news story isn't the top story for the day, that doesn't mean it's not newsworthy.
Score: 0
|Very few systems are vulnerable to this exploit. Even if you have the .dll on your system, it has to be a certain version.
Since this is an ActiveX issue, you can do a few things to work around the issue:
1 - Use non activeX browser (mozilla)
2 - Only allow ActiveX in IE for trusted site.
Score: 0
|3 - Set the kill bit for the DLL, causing IE to reject it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}\Compatibility Flags = 0x00000400
Score: 0
|wow... you did your research.
Score: 0
|If that really works, thats a pretty impressive / fastly made patch.
Score: 0
|It's published in the Microsoft advisory article.
Score: 0
|Article which was published some time after I posted that. I hadn't read the advisory. ;)
Score: 0
|suuuure.... ;-)
lol not bad. Not bad at all...
Score: 0
|