Microsoft: New IE flaw limited in scope

Microsoft has given more details on an Internet Explorer security bug discovered this week, saying the flaw puts only some systems at risk.

The security hole, reported on Wednesday by the French Security Incident Response Team, involves the Microsoft DDS Library Shape Control file. The Msdds.dll file has to be present on a computer for the machine to be vulnerable to possible compromise by an outside attacker.

The file is put on a computer only with Microsoft's Visual Studio 2002 and certain Office XP installations, according to a Microsoft alert updated on Friday.

Visual Studio is a tool designed for developers, so most home PCs will likely not have the file. In addition, Visual Studio 2002 is an older version. People who have updated their PCs to Visual Studio 2002 Service Pack 1 are not vulnerable, Microsoft said.

In another possible restriction on the flaw's scope, only specific versions of the Microsoft DDS Library Shape Control file are affected, the software maker said. The company provides technical details in its advisory.

The problem exists because IE will inappropriately let Web sites run other pieces of Microsoft software on a computer. The flaw is similar to vulnerabilities Microsoft fixed as part of its monthly patch release last week and in July.

An attacker could craft a malicious Web site that takes advantage of the flaw and gain control over a vulnerable PC that visits the Web site, according to FrSIRT. The intruder could exploit the flaw to install malicious software on those systems, FrSIRT has said. The research group rates the issue "critical," its most serious classification.

Microsoft said it is preparing a fix that will be included with an upcoming security bulletin. The company typically releases bulletins on the second Tuesday of every month.

[cjohn17]

The Deepest Sigh

Another day, another flaw. It the gift that keeps on giving.

[Andrew J Glina]

True

But it was Apple yesterday and it was the current product, not just a old developers tool.

Same flaw, different DLL.

What's wrong with IE is scripting should not be enabled in the Internet Zone. There should be no way to enable it in that zone nor should it's default be set to enable nor should the customer be constantly hammered with prompts to enable scripting. No site should be able to arbitrarily run code on a customers computer unless the site is trusted by that customer.
Unfortunately 3/4 of the web would have to be redesigned as most sites look for IE's user agent and serve up scripting based on that. Visit the same site with Firefox and it works without the scripting support yet these sites refuse to render properly with a secured IE. This site for instance is riddled with scripts of every variety and it is in my Trusted Sites list or it wouldn't render properly. For casual surfing to all manner of various nefarious internet sites scripting of any sort simply should not be enabled by default.
Until Microsoft gets this through their thick head IE will always have problems. It's this DLL today and tommorro it'll be some other.