Article

Microsoft warns of new Internet Explorer threat

Bill Brenner

Just days after releasing its monthly patch update, Microsoft warned Thursday of a new Internet Explorer flaw attackers could exploit to crash machines or take them over.

"Microsoft is investigating

    Requires Free Membership to View

new public reports of a vulnerability [that] may allow an attacker to execute code on a user's machine by convincing them to visit a malicious Web site using Internet Explorer," a Microsoft spokesman said in an email. The software giant confirmed exploit code has been publicly released but said it is not aware of any attacks attempting to use it.

Microsoft has released an advisory outlining steps users can take to protect their machines.

The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object. Attackers could exploit this condition to cause a denial of service or launch malicious commands by convincing a user to visit a malicious Web page.

FrSIRT said it successfully exploited the security hole on a fully patched Windows XP SP2 system.

To mitigate the threat, IT administrators should only allow trusted Web sites to run ActiveX controls, Danish vulnerability clearinghouse Secunia said in an advisory. FrSIRT recommended administrators disable Active Scripting in the Internet and local intranet security zones, though certain Web sites won't work properly if this is done.

The appearance of a new exploitable flaw immediately after Microsoft's monthly patch release has become a familiar pattern.

After the July patch release, a new zero-day flaw was found in Microsoft PowerPoint. After the June patch release, a Microsoft Excel zero-day flaw surfaced.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: