Microsoft has finally released a patch for the object type vulnerability in Internet Explorer that was exploited...
by the QHost-1 Trojan last week.
The cumulative patch, released Saturday at midnight EDT, also patches a previously unannounced flaw in Internet Explorer. The new vulnerability involves how Internet Explorer handles XML data binding. Microsoft has deemed both vulnerabilities "critical." The company recommends immediately installing the patch, which covers all released patches for Internet Explorer 5.01, 5.5 and 6.0. Both flaws could allow attackers to run arbitrary code on vulnerable systems.
Microsoft broke practice with this cumulative patch. Recent fixes have been sent out on Wednesdays.
Microsoft also changed how Internet Explorer handles Dynamic HTML (DHTML). Currently, attackers can exploit a vulnerability to make Internet Explorer run script code in the security context of the Internet Zone. The company warns that this vulnerability can be exploited using Windows Media Player's ability to open URLs. Specially crafted HTML-based e-mails could be used for such an attack. The company recommends that users update this application in addition to installing the patch.
The vulnerabilities can be exploited in two ways. In either case, a remote attacker can gain the same system privileges as the system users. "Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges," Microsoft said in a press release.
First, HTML e-mails containing malicious code could be sent. Second, a malicious Web site could be created to take advantage of the flaws.
The latter approach was used by QHost, which emerged last week to wreak havoc with PCs' DNS settings. The Trojan injected itself into systems when users visited a site hosted by Web host FortuneCity.com. It then changed the DNS settings for computers so all requests were routed through IP addresses set by the Trojan's author. It also redirects popular search URLs such as google.com and altavista.com to a search site of the author's choosing.
Until the patch is installed, users can, as a workaround, disable Active Scripting. That prevents infection from QHost, but it could affect the loading of other Web sites. Users can also remove the MIME registry key. The key is located at:
FOR MORE INFORMATION:
FEEDBACK: Do you applaud Microsoft for breaking from its practice of sending alerts on Wednesdays with MS03-040?
Send your feedback to the SearchSecurity.com news team.