IT administrators who have yet to install an Internet Explorer
(IE) patch released in February may want to move it up the priority
list. Attackers have access to exploit code for one of the flaws
the patch addressed.
Websense Security Labs has reported on its
Web site Monday that "full exploit code" has
been published for the flawed ADODB.Connection ActiveX control
in Microsoft Data Access Components
(
MDAC). Attackers could exploit the flaw, which Microsoft
patched
in its Feb. 13 MS07-009 bulletin, to hijack
targeted machines.
"Our scanners are now actively searching for any live sites that
are attempting to exploit this vulnerability," Websense said in its
advisory. "This type of vulnerability has been very popular with
malicious attacks in the past and we expect to see its usage
increase substantially now that exploit code is publicly
available."
The flaw was originally brought to light by Metasploit Framework
creator HD Moore during his
Month of Browser Bugs project last July.
"The original demonstration of this vulnerability occurred on
July 29, 2006 in HD Moore's Month of Browser Bugs #29," Websense
Security Labs said. "At the time, only a denial-of-service
demonstration was published."
The faulty ActiveX control at the heart of the flaw is used in
Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows
Server 2003 and Windows Server 2003 for Itanium-based Systems.
The
patch can be downloaded from the Microsoft
Web site.