Another “critical” unpatched flaw has been discovered in Microsoft’s Internet Explorer browser, with exploit code for the flaw already circulating on the internet.
Microsoft said it was investigating the vulnerability but users may have to wait almost a month to get a patch for the problem because the company released its latest batch of monthly security patches only this Tuesday.
The French Security Incident Response Team (FrSIRT) has described the scripting security problem as “critical”.
The hole allows attackers to remotely exploit users’ systems. FrSIRT said, “A vulnerability has been identified which could be exploited by remote attackers to crash a vulnerable browser or take complete control of an affected system.
“This flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object.”
FrSIRT said the problem could be exploited by attackers to cause a denial of service attack or execute arbitrary commands by convincing a user to visit a malicious web page.
In tests, FrSIRT said it had successfully exploited the vulnerability on a fully patched Windows XP SP2 system.
It said the only way to tackle the problem at the moment is to disable active scripting in the internet and local intranet security zones on networks.
But disabling active scripting may cause some websites to work incorrectly.
Along with its three security patches this week, Microsoft issued its third patch update for a previous critical Internet Explorer problem, after the previous two patching attempts failed to tackle the vulnerability.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats