Another “critical” unpatched flaw has been discovered in
Microsoft’s Internet Explorer browser, with exploit code for the
flaw already circulating on the internet.
Microsoft said it was investigating the vulnerability but users
may have to wait almost a month to get a patch for the problem
because the company released its latest batch of monthly security
patches only this Tuesday.
The French Security Incident Response Team (FrSIRT) has
described the scripting security problem as “critical”.
The hole allows attackers to remotely exploit users’ systems.
FrSIRT said, “A vulnerability has been identified which could be
exploited by remote attackers to crash a vulnerable browser or take
complete control of an affected system.
“This flaw is due to a memory corruption error when processing a
specially crafted argument passed to the "KeyFrame()" method of a
"DirectAnimation.PathControl" (daxctle.ocx) ActiveX object.”
FrSIRT said the problem could be exploited by attackers to cause
a denial of service attack or execute arbitrary commands by
convincing a user to visit a malicious web page.
In tests, FrSIRT said it had successfully exploited the
vulnerability on a fully patched Windows XP SP2 system.
It said the only way to tackle the problem at the moment is to
disable active scripting in the internet and local intranet
security zones on networks.
But disabling active scripting may cause some websites to work
incorrectly.
Along with its three security patches this week, Microsoft
issued its third patch update for a previous critical Internet
Explorer problem, after the previous two patching attempts failed
to tackle the vulnerability.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats