10/29/2003
Attackers are taking advantage of a security hole in Internet Explorer not immediately patched by Microsoft.
Security experts have warned that a vulnerability that has apparently been left un-patched by Microsoft is being exploited by attackers "in the wild".
The "object type" vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a Web-page. If the Web page is viewed by an Internet Explorer browser -- even a fully patched browser -- the malicious code embedded in the Web-page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability.
US-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild".
"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read.
The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September.
"Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems."
The managing director of mail-filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know."
Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX."
Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the "Internet Zone". Ironically, in order to patch the system through Microsoft's WindowsUpdate Web site when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet zone.
Comments:
It is funny that it took Microsoft a year to initially respond to this problem, then even after they did, it took them a month to get around to issuing a patch.
So finally, for the first time in over a year, you can use IE to surf
without having spyware automatically installed in your system by this particular exploit.
Now if they would fix the other 17, IE would be in business.

Connect with us or request a quote.

WEBPRO
Since 1994, WEBPRO has perfected Front Page Marketing that drives more qualified traffic!









Business or Industry:
Geography:
Package:
Submit Message