Today, Microsoft released a security bulletin describing a critical vulnerability in Internet Explorer. By tricking one of your users into visiting a maliciously-crafted Web page or into opening a maliciously-crafted HTML e-mail, an attacker could exploit this vulnerability to execute code on that user's computer, with that user's privileges.
Internet Explorer Cumulative Patch Continues Fixing Months-Old FlawSeverity: High11 October, 2005 Summary:If your users have local administrative privileges, the attacker could gain complete control of their systems. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately. Exposure:Today, Microsoft described a vulnerability affecting Internet Explorer (IE) 5.01, 5.5 and 6.0. While Microsoft's bulletin treats the vulnerability as a new issue, it actually stems from a flaw that has haunted Microsoft since the middle of this year. For busy administrators, the short story is that Internet Explorer can create ("instantiate") software components ("COM objects") that it has no need to create. A clever attacker can exploit this extraneous functionality to take over a victim's computer. Microsoft's patch disables COM objects that should not instantiate from IE, thus heading off this exploit. The cumulative patch also fixes all previously known Internet Explorer flaws, and slightly improves IE's Pop-Up Blocker and Add-on Manager. If you want to know a little of the history behind this months-long issue, read on. Otherwise, skip to the Solution section. Last July, we published a Wire post and Vulnerability Alert describing a flaw in the way IE handled a COM Object called JView Profiler (Javaprxy.dll). By enticing one of your users into visiting a malicious Web page or opening a maliciously crafted HTML e-mail, an attacker could exploit this vulnerability to execute code on your user's computer, with that user's privileges. If that user had local administrative privileges, the attacker could gain complete control of that PC. Microsoft's IE cumulative patch for July fixed this issue by preventing IE from using the JView Profiler (Javaprxy.dll) COM Object. However, a month after fixing the JView Profiler (Javaprxy.dll) COM Object issue, Microsoft released yet another IE cumulative patch. Among three new vulnerabilities, their cumulative patch fixed a security flaw Microsoft called the "COM Object Instantiation Memory Corruption Vulnerability." Microsoft had found out that many COM objects suffered from the same vulnerability as the JView Profiler (Javaprxy.dll). Microsoft's new cumulative patch for IE disabled a batch of COM objects they had found vulnerable to the earlier flaw. Now, this month's cumulative patch for IE continues correcting Microsoft's "COM Object Instantiation Memory Corruption Vulnerability." They have found yet another batch of COM objects susceptible to this vulnerability, so this patch disables them in IE. As before, an attacker could exploit this vulnerability to execute code on one of your user's computer, with that user's privileges. If that user has local administrative privileges, the attacker could gain complete control of that PC. Of course, the attacker would first have to trick one of your users into visiting a malicious Web site or opening a maliciously-crafted HTML e-mail for this type of attack to succeed. Let's hope that this patch finally disables all the COM objects vulnerable to this particular flaw. Solution Path:Microsoft has released a cumulative patch that fixes this vulnerability, as well as all previous ones. You should download, test, and deploy the appropriate IE patches as soon as possible.
|
0 Comments
0 Trackbacks![[ Enlarge Image ]](images/public/blog/original_ie.jpg){kind=link}