September 14, 2006 5:10 PM PDT

Attack code targets new IE hole

Related Stories

Third time a charm for IE patch?

September 13, 2006

IE patch carries security bug

August 22, 2006

New Excel zero-day flaw used in attacks

June 16, 2006
Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.

The code was published on public Web sites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, the company representative said in a statement Thursday.

"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.

The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.

IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected.

Upon completion of its investigation, Microsoft may issue a patch for the flaw as part of its monthly release process, the company said. Microsoft is not aware of any attacks that attempt to exploit the new IE vulnerability at this time, it said.

The warning of the new flaw comes only days after Microsoft released its September patches. On Tuesday it released three updates, two for Windows and one for Office. The software maker also released a third version of an Internet Explorer fix after it botched the first two versions of the patch.

In recent months, word of new attacks has repeatedly followed shortly after "Patch Tuesday." Some experts believe the timing of the new attack is no coincidence, suggesting that attackers look to take advantage of a full month before Microsoft is scheduled to release its next bunch of fixes.

See more CNET content tagged:
attacker, attack, flaw, Microsoft Internet Explorer, Microsoft Corp.

21 comments

Join the conversation!
Add your comment
Not...
surprised by YET ANOTHER hole in IE7. Wasn't this release
supposed to be more secure? When will people figure out that IE is
possibly the most vunerable / worst secure software ever! Send a
message to M$! Switch to FireFox today!
Posted by robot999 (109 comments )
Reply Link Flag
Read the article!
The article clearly states that the hole exists only in IE 5.1 and 6. NOT IE7. Plus, IE7 is still in beta, so a few holes are to be expected. FYI, I personally use Firefox as my main browser and IE7 for those few Microsoft downloads, so you can't say that I'm a MS fanboy...
Posted by Hardrada (359 comments )
Link Flag
IE7 is not affected
I have IE7 installed, and it actually disables the vulnerable ActiveX control when you install it. Specifically it unregisters all controls registered in Danim.dll and Daxctle.ocx.
Posted by Hoopskier (6 comments )
Link Flag
V I S T A P O C A L Y P S E N O W ! ! !
It's the same old crap, new wrapper and still written by slack-jawed, brain-damaged goons. The crackers will rip this puppy open in a heart beat.

Roberto
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
Quick! Hide the Children!
...Not.

<sigh!>. OK, 3 Bits of common sense:

1. Software will ever be perfect because people (us) who write and use them aren't perfect.

2. A determined cracker will crack anything if it is worth his/er while.

3. Perfect security is easy. Simply build a closed, unchanging system. You won't be able to interact that system in any way once it's completed, but hey, it's SECURE.

Wait, you want to be able to use the system, right? How? ...and what about next guy? ...and what about tomorrow? Then the system will have to be able to adapt to possibilties in a myriad of combinations, won't it? The more versatile that system the greater the number combinations or eventualities it will have to make allowances for--and some "slacked-jawed goon" will have to spend hundreds of hours trying to plan for all of them.

Should Microsoft do a better job? HELL YES! ....but consider that it might take them several decades to plan for EVERY possible problem, (imagine hearing that IE ver 1, will come out next year because MS spent the last 18 years planning and fixing every possible hole in the code first), or they would have to create software that fixes itself--which would mean that the software has to think for itself. IE is full of holes and I seldom use it, but I would use it less if it was self aware and going to tell how to use and decide what it will let me do.

Lastly if MS were to disappear tomorrow and Apple or someone else ruled the market, we'd all be here in a couple of years, griping about how BrandX PC and/or OS is full of holes and needs patching, blah, blah
Posted by GreyClaw (81 comments )
Link Flag
But will the Bad Guys use it?
Hi Joris,

The original sample, as provided by the discoverers was only tested on Chinese XP sp2, and IE 6.0 sp1, and in our tests would not work reliably on any of our SP2 goats. It would crash the browser, but not execute code.

Now, since then, three or four different sets of folks have figured out how to make it execute code on regular SP2, so it obviously has the potential to be really big.

Equally obviously, we have signatures for it in SocketShield, and so far, our hunting pots have not found any web sites using it so it remains to be seen if any of the Evil WebMeisters will actually use it, no matter how good it is.

Historically, they tend to prefer to be spoonfed, and not figure out the exploits for themselves, and the fact that the only published code doesn't quite work may save us all by itself.

We'll continue to monitor the situation, and will post here if we start finding them in use. Currently, all is safe,
Cheers

Roger

CTO
<a class="jive-link-external" href="http://ExpLabs.com" target="_newWindow">http://ExpLabs.com</a>
Posted by explabs (2 comments )
Reply Link Flag
We found one
Hi folks,

This is a minor heads up... our hunting pots found a website this morning that is serving a modified version of this exploit.

It's only a minor heads up, because it is

(1) so far, just a single site, and
(2) the exploit is still only an IE crash in our tests.

In other words, it's still nothing much to worry about, but everyone should be aware that people are tweaking the code and experimenting. And, of course, there might be many more sites ... we don't see everything at once.

Cheers

Roger
CTO
<a class="jive-link-external" href="http://explabs.com" target="_newWindow">http://explabs.com</a>
Posted by explabs (2 comments )
Link Flag
Another day, another M$ vulnerability...
When will it end? Never, at least not while M$ is still illegally and monopolistically forcing software on to Windows (l)users.
Posted by extinctone (214 comments )
Reply Link Flag
Who? and When?
extintone writes "at least not while M$ is still illegally and monopolistically forcing software on to Windows (l)users"

Can you some questions for me? Please state the laws that are being violated? Please name the group of windows users who are claiming microsoft is forcing their software on them? Has microsoft threatened you personally if you failed to

When will it end? Never, because dissastisfied, anti-microsoft nerds would rather moan and groan about MS products because the one they use doesn't appeal to the masses. You remind me of a sleezy politician who can only sling mud at the opponent because he's no saint either.
Posted by Seaspray0 (9714 comments )
Link Flag
IE sucks
If you haven't switched to an alternative browser that is safer, quicker to fix problems and plain better like Firefox or Opera, switch now. IE sucks. IE 6.0 is pretty much unfixable. It's sad when we release a security patch only to find out that patch created a few more vulnerabilities. That's embarassing.
Posted by pentium4forever (192 comments )
Reply Link Flag
Is this really news?
Microsoft has a security leak everyday! I said this a year ago and I'll say it again:

You can't fix a house who's foundation is inadequate to hold it up!

J Gund
Tech01 Mobil
Mobil.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
what?
No one's forcing you to use Microsoft software. What about Apple? They bundle applications with their OS too, and unlike Microsoft, there are fewer 3rd party options out there.
Posted by Hardrada (359 comments )
Reply Link Flag
So set the kill bit and get over it...
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400
Posted by fred dunn (793 comments )
Reply Link Flag
IE User's Song to the the tune of Don't Bogart Me
Role out another one, just like the other one, you've been hanging onto it, so take another hit
Posted by slim-1 (229 comments )
Reply Link Flag
Why IE Fails?
It is really quite simple. M$ hires people with education but little or no experience primarily to idolize Bill and feed his ego. They may have all the talent in the world but without that practical experience the mistakes will abound.
Posted by Mister C (423 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.