News Stay informed about the latest enterprise technology news and product updates.

Triple trouble for Microsoft users

Security researchers have reported three flaws affecting Microsoft, including two Internet Explorer glitches and a vulnerability affecting organizations that share Internet connections.

Security researchers are warning of three new flaws attackers could exploit to compromise Windows machines, two of which affect Internet Explorer (IE) users. According to a series of advisories posted over the weekend:

  • The "Execute()" function of the ADODB.Connection ActiveX object in IE contains an unspecified vulnerability that remote, unauthenticated attackers could exploit to launch malicious code or cause the browser to crash.

  • Danish vulnerability clearinghouse Secunia has uncovered another flaw in the newly released IE 7. This is the third IE 7 flaw the firm claims to have found in the last 12 days, and attackers could exploit it to spoof the content of legitimate Web sites.

  • Organizations using an Internet Connection Sharing (ICS) program are vulnerable to a Windows flaw attackers could exploit to cause a denial of service.

    IE ActiveX flaw
    The United States Computer Emergency Readiness Team (US-CERT) issued an advisory Friday warning of an unspecified flaw in the "Execute()" function of the ADODB.Connection ActiveX object in IE.

    "By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user," US-CERT said, adding that the attacker could also cause IE to crash.

    Until an official patch is released, US-CERT recommends users disable the ADODB.Connection ActiveX control in IE or disable ActiveX altogether.

    The Microsoft Security Response Center acknowledged in its blog that it is investigating the problem.

    "Once we have completed the investigation and understand if there is a threat to customers we will take the appropriate action to protect and provide guidance," Microsoft said.

    A third IE 7 glitch
    Meanwhile, Secunia claims to have discovered a new IE 7 flaw, the third one since the overhauled browser was released a week and a half ago. This time, the problem is that a Web site can inject content into another site's window if the target name of the window is known, Secunia said in an advisory. Attackers could exploit this to spoof the content of a pop-up window opened on a trusted Web site.

    The issue appears to be related to an older flaw reported nearly two years ago in earlier versions of the browser. Secunia's advice is to avoid untrusted Web sites.

    Last week, Secunia warned of another IE 7 flaw malicious people could exploit to launch phishing attacks.

    The week before, Secunia warned of another IE 7 flaw attackers could exploit to disclose sensitive information. Secunia said that flaw was caused by an error in how redirections for URLs with the "mhtml:" URI handler are processed. Christopher Budd of the Microsoft Security Response Center disputed Secunia's claims on that flaw, saying it is actually a flaw in Outlook Express.

    ICS flaw
    Finally, San Francisco-based security vendor nCircle is warning of a flaw affecting Windows users who share their Internet connections. In the company blog, researcher Tyler Reguly said that attackers could exploit a NULL pointer dereference error in Windows NAT helper components to cause a denial of service.

    "The exploit requires Internet Connection Sharing (ICS) to be enabled and requires that the attacker be on the shared interface," Reguly said. However, he added, the threat appears low. "Current research leads me to believe that this only affects Windows XP with ICS," he said.

  • Dig Deeper on Web browser security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.