News

Microsoft probes alleged Internet Explorer flaw

A research group claims attackers could launch malicious code using a flaw in the way Internet Explorer instantiates certain COM objects' ActiveX controls.

Bill Brenner
By
Published: 29 Aug 2006 1:00
Microsoft is investigating a claim that attackers could exploit a new Internet Explorer (IE) flaw to launch malicious code or cause a denial of service.

The flaw, outlined in an advisory on 28 August from the Xsec vulnerability research organisation, is caused by the way IE tries to instantiate certain COM objects' ActiveX controls.

Attackers can allegedly exploit the flaw by constructing a malicious Web page and tricking a user into visiting it. In an advisory sent to customers of its DeepSight Threat Management Service, antivirus giant Symantec noted that such a Web page would invoke the COM objects in a manner that would trigger the vulnerability. The malicious page could then pass content to the control, such as embedded memory addresses and executable instructions.

More on Internet Explorer
Microsoft fixes faulty Internet Explorer patch

Microsoft addresses 23 flaws; DHS urges action

Internet Explorer vulnerable to remote attackers
"An attacker can exploit this issue to execute arbitrary code within the context of the affected application," Symantec said. "Failed exploit attempts will result in a denial-of-service."

Symantec has warned that proof-of-concept code that demonstrates how to exploit the flaw is available.

Xsec said in its advisory that the vulnerability affects Windows 2000, Windows XP and Windows 2003. XSec did not immediately respond to a request for more details.

Microsoft said it is investigating the flaw report and will provide guidance to customers as needed.

"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," a company spokesman said in an email exchange Monday. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process."

In the meantime, Symantec recommended IT administrators and users:

  • Run all software as a non-privileged user with minimal access rights;
  • Ensure that non-administrative tasks like Web browsing and reading email are performed as an unprivileged user with minimal access rights;
  • Do not follow links provided by unknown or untrusted sources;
  • Never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources;
  • Set Web browser security to disable the execution of script code or active content; and
  • Disable scripting and active content in the Internet Zone to limit exposure to this and other vulnerabilities.

    Microsoft also has a list of workarounds to help IT administrators mitigate vulnerabilities like this one. They include:

  • Configuring Internet Explorer to prompt before running ActiveX controls;
  • Setting Internet and Local intranet security zone settings to "high";
  • Restricting Web site access to only trusted sites; and
  • Preventing COM objects from running in Internet Explorer by setting the kill bit for the control in the registry.

    • Read more on Operating systems software