Security researchers are warning of a bug in Internet
Explorer that could allow attackers to infect a PC by persuading a
user to click on a web image.
The vulnerability affects even Windows XP machines patched with
Microsoft's Service Pack 2 (SP2), making it the most serious hole
discovered in SP2 to date.
IE versions 5.01, 5.5 and 6 are not effective enough in the way
they screen drag-and-drop events, allowing attackers to potentially
slip code from the "internet" zone to the local machine, according
to researchers.
In a demonstration posted online by a "white-hat" hacker using
the internet pseudonym http-equiv, who discovered the flaw, a user
drags a graphic from one part of a web page to another, and this
action implants code in the user's startup folder, to be run the
next time Windows launches.
The exploit could be simplified even further, making it more
dangerous, said IT security firm Secunia. "Though the
[proof-of-concept] depends on the user performing a drag-and-drop
event, it may potentially be rewritten to use a single click as
user interaction instead," the firm said in its advisory.
In the absence of a fix from Microsoft, Secunia recommended
users to disable active scripting or use a different browser.
Instructions on disabling active scripting can be found on
Secunia's website.
Secunia considers the bug "highly critical", but Microsoft does
not agree. The company said the exploit requires so much user
interaction that it is effectively impossible to carry out.
Microsoft has not issued a patch, but said it is continuing to
investigate.
The reaction is similar to that received by an earlier bug
discovered in SP2 shortly after its release. German security firm
Heise Security warned that a new alert system warning users of
potentially dangerous files could be bypassed.
In that case, most researchers - including Heise itself - said
an exploit would require an unrealistic degree of social
engineering. "I think that Microsoft could have found a better
solution that would cause less chance of 'mishaps', but it does not
make it a vulnerability," said Secunia chief technology officer
Thomas Kristensen.
SP2 is designed to improve Windows security - and Microsoft's
reputation - through extensive changes to Windows XP's default
security settings, new security tools and a new patch management
system.
Because of the scale of the changes, which Microsoft admits are
likely to break many existing applications, businesses say they are
putting the service pack through a more rigorous testing procedure
than with other service packs.
IT managers are mainly enthusiastic about SP2, but a significant
minority say they have no plans to implement it, according to two
recent surveys, one in the UK, the other in the US. However, they
are sanguine about the impact on applications, seeing it as the
price you have to pay for added security.
Taken off guard by the large number of business customers who
rely on the Windows Automatic Updates feature for patches,
Microsoft last week postponed automatic distribution of the mammoth
service pack, but has now resumed delivery.
Matthew Broersma writes for Techworld