A patch released by Microsoft last month protecting against a critical vulnerability in Internet Explorer leaves systems open to other types of attacks. Experts recommend that Internet Explorer users apply a workaround, in addition to patching their systems to protect against the severe flaw in the Web browser software.
It appears that the patch protects against only a specific exploit of an object type vulnerability, which was discovered last month by eEye Digital Security of Aliso Viejo, Calif. The security research firm said the flaw could be exploited with a static object element in HTML.
However, another security research group, Malware.com, has found other ways the vulnerability can be exploited with a dynamic element and without Active Scripting enabled.
"The patch offers protection for a specific aspect in the vulnerability but fails to offer complete protection," said Lee Dagon of Israel-based GreyMagic Software, a security research and software firm, in an e-mail interview. "Inserting the vulnerable element dynamically, instead of statically, will result in full exploitation."
Microsoft released a critical advisory on the vulnerability Aug. 20. The vulnerability affects Internet Explorer 5.01, Internet Explorer 5.5 and Internet Explorer 6.0. The software giant is looking into reports that the patch doesn't address all ways the flaw can be attacked.
"Microsoft teams are continuing to investigate reports of new variations on a vulnerability in Internet Explorer that was originally addressed by Microsoft Security Bulletin MS03-032," the company said in a statement. "We have not received any reports that this issue is affecting any customers."
Experts fear the potential damage posed by the flaw. "This vulnerability is extremely severe; it allows arbitrary code to run in the context of the currently logged on user," Dagon said. "This means that a simple Web page is able to execute, read, write and remove anything accessible to the user on his or her computer."
Worm writers could create malware to exploit the vulnerability. It could also be used for targeted actions against vulnerable organizations. Exploiting it is just a matter of creating specific HTML code that's executed when viewed by Internet Explorer. "It's a trivial matter getting someone to click on a link," said Drew Copley, the research engineer with eEye who found the vulnerability.
A worm that exploits the vulnerability would move differently than Lovsan, which recently exploited the Remote Procedure Call (RPC) flaw in Windows. For example, the Internet Explorer worm may require social engineering to entice potential victims to click on a malicious link. "On the other hand, the author wouldn't need to write buffer overflow exploit code," Copley said.
Most recent high-profile vulnerabilities have been buffer overflows, which are common when applications are created with the C programming language. Copley describes the Internet Explorer flaw as a "configuration error" vulnerability. He recommends that users delete or rename the following the registry key; doing so will protect against the vulnerability:
Deleting the key outright is the safest path, but renaming it to include a very long random number or character combination would offer a good degree of protection, according to Copley.
Even though the Internet Explorer patch isn't perfect, experts do suggest users apply it and take the workaround step. "I would definitely recommend that IE users apply the provided patch," said Thor Larholm, senior security researcher at PivX Solutions LLC, a Newport Beach, Calif.-based security research consultancy, during an e-mail interview. "The patch does fix several severe vulnerabilities, including all previous IE vulnerability fixes."
FOR MORE INFORMATION:
FEEDBACK: Is there a viable option to patching systems to fill security holes?
Send your feedback to the SearchSecurity.com news team.