Microsoft is investigating a claim that attackers could exploit a new Internet Explorer (IE) flaw to launch malicious...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
code or cause a denial of service.
The flaw, outlined in an advisory yesterday from the Xsec vulnerability research organization, is caused by the way IE tries to instantiate certain COM objects' ActiveX controls.
Attackers can allegedly exploit the flaw by constructing a malicious Web page and tricking a user into visiting it. In an advisory sent to customers of its DeepSight Threat Management Service, Cupertino, Calif.-based antivirus giant Symantec Corp. noted that such a Web page would invoke the COM objects in a manner that would trigger the vulnerability. The malicious page could then pass content to the control, such as embedded memory addresses and executable instructions.
"An attacker can exploit this issue to execute arbitrary code within the context of the affected application," Symantec said. "Failed exploit attempts will result in a denial-of-service."
Symantec has warned that proof-of-concept code that demonstrates how to exploit the flaw is available.
Xsec said in its advisory that the vulnerability affects Windows 2000, Windows XP and Windows 2003. XSec did not immediately respond to a request for more details.
Microsoft said it is investigating the flaw report and will provide guidance to customers as needed.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," a company spokesman said in an email exchange Monday. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process."
In the meantime, Symantec recommended IT administrators and users:
Run all software as a non-privileged user with minimal access rights;
Ensure that non-administrative tasks like Web browsing and reading email are performed as an unprivileged user with minimal access rights;
Do not follow links provided by unknown or untrusted sources;
Never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources;
Set Web browser security to disable the execution of script code or active content; and
Disable scripting and active content in the Internet Zone to limit exposure to this and other vulnerabilities.
Microsoft also has a list of workarounds to help IT administrators mitigate vulnerabilities like this one. They include:
Configuring Internet Explorer to prompt before running ActiveX controls;
Setting Internet and Local intranet security zone settings to "high";
Restricting Web site access to only trusted sites; and
Preventing COM objects from running in Internet Explorer by setting the kill bit for the control in the registry.