Microsoft warns of new Internet Explorer threat

By Bill Brenner, Senior News Writer 15 Sep 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Just days after releasing its monthly patch update, Microsoft warned Thursday of a new Internet Explorer flaw attackers could exploit to crash machines or take them over.

"Microsoft is investigating new public reports of a vulnerability [that] may allow an attacker to execute code on a user's machine by convincing them to visit a malicious Web site using Internet Explorer," a Microsoft spokesman said in an email. The software giant confirmed exploit code has been publicly released but said it is not aware of any attacks attempting to use it.

Microsoft has released an advisory outlining steps users can take to protect their machines.

The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object. Attackers could exploit this condition to cause a denial of service or launch malicious commands by convincing a user to visit a malicious Web page.

FrSIRT said it successfully exploited the security hole on a fully patched Windows XP SP2 system.

To mitigate the threat, IT administrators should only allow trusted Web sites to run ActiveX controls, Danish vulnerability clearinghouse Secunia said in an advisory. FrSIRT recommended administrators disable Active Scripting in the Internet and local intranet security zones, though certain Web sites won't work properly if this is done.

The appearance of a new exploitable flaw immediately after Microsoft's monthly patch release has become a familiar pattern.

After the July patch release, a new zero-day flaw was found in Microsoft PowerPoint. After the June patch release, a Microsoft Excel zero-day flaw surfaced.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary