Microsoft is investigating a claim that attackers could exploit a
new Internet Explorer (IE) flaw to launch malicious code or cause a
denial of service.
The flaw, outlined in an
advisory on 28 August from the Xsec
vulnerability research organisation, is caused by the way IE
tries to
instantiate certain COM objects' ActiveX
controls.
Attackers can allegedly exploit the flaw by constructing a
malicious Web page and tricking a user into visiting it. In an
advisory sent to customers of its DeepSight Threat Management
Service, antivirus giant Symantec noted that such a Web page would
invoke the COM objects in a manner that would trigger the
vulnerability. The malicious page could then pass content to the
control, such as embedded memory addresses and executable
instructions.
"An attacker can exploit this issue to execute arbitrary code
within the context of the affected application," Symantec said.
"Failed exploit attempts will result in a denial-of-service."
Symantec has warned that proof-of-concept code that demonstrates
how to exploit the flaw is available.
Xsec said in its advisory that the vulnerability affects Windows
2000, Windows XP and Windows 2003. XSec did not immediately respond
to a request for more details.
Microsoft said it is investigating the flaw report and will
provide guidance to customers as needed.
"Microsoft is not aware of any attacks attempting to use the
reported vulnerability or of customer impact at this time," a
company spokesman said in an email exchange Monday. "Upon
completion of this investigation, Microsoft will take the
appropriate action to protect our customers, which may include
issuing a security advisory or providing a security update through
our monthly release process."
In the meantime, Symantec recommended IT administrators and
users:
- Run all software as a non-privileged user with minimal access
rights;
- Ensure that non-administrative tasks like Web browsing and
reading email are performed as an unprivileged user with minimal
access rights;
- Do not follow links provided by unknown or untrusted
sources;
- Never visit sites of questionable integrity or follow links
provided by unfamiliar or untrusted sources;
- Set Web browser security to disable the execution of script
code or active content; and
- Disable scripting and active content in the Internet Zone to
limit exposure to this and other vulnerabilities.
Microsoft also has a list of workarounds to help IT
administrators mitigate vulnerabilities like this one. They
include:
- Configuring Internet Explorer to prompt before running ActiveX
controls;
- Setting Internet and Local intranet security zone settings to
"high";
- Restricting Web site access to only trusted sites;
and
- Preventing COM objects from running in Internet Explorer by
setting the kill bit for the control in the registry.