Microsoft warns of new Internet Explorer threat

Article

Microsoft warns of new Internet Explorer threat

Bill Brenner, Senior News Writer

Just days after releasing its monthly patch update, Microsoft warned Thursday of a new Internet Explorer flaw attackers could exploit to crash machines or take them over.

"Microsoft is investigating

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

new public reports of a vulnerability [that] may allow an attacker to execute code on a user's machine by convincing them to visit a malicious Web site using Internet Explorer," a Microsoft spokesman said in an email. The software giant confirmed exploit code has been publicly released but said it is not aware of any attacks attempting to use it.

Microsoft has released an advisory outlining steps users can take to protect their machines.

The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object. Attackers could exploit this condition to cause a denial of service or launch malicious commands by convincing a user to visit a malicious Web page.

FrSIRT said it successfully exploited the security hole on a fully patched Windows XP SP2 system.

To mitigate the threat, IT administrators should only allow trusted Web sites to run ActiveX controls, Danish vulnerability clearinghouse Secunia said in an advisory. FrSIRT recommended administrators disable Active Scripting in the Internet and local intranet security zones, though certain Web sites won't work properly if this is done.

The appearance of a new exploitable flaw immediately after Microsoft's monthly patch release has become a familiar pattern.

After the July patch release, a new zero-day flaw was found in Microsoft PowerPoint. After the June patch release, a Microsoft Excel zero-day flaw surfaced.