Microsoft Warns Of Dangerous IE Exploit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
3/23/2006
09:19 PM
50%
50%

Microsoft Warns Of Dangerous IE Exploit

The company has promised to fix an exploit that has shown up for the just-announced CreateTextRange JavaScript bug.

An exploit for a new zero-day bug in Internet Explorer appeared Thursday, causing security companies to ring alarms and Microsoft to issue a security advisory that promised it would patch the problem.

Just a day after anti-virus vendors warned of a new zero-day vulnerability in Internet Explorer – the second such alert since Friday -- companies including Symantec and Secunia boosted security levels as news of a public exploit spread.

Symantec issued warnings to customers of its DeepSight Threat Management System that an exploit had appeared for the just-announced CreateTextRange JavaScript bug. "The DeepSight team has successfully tested this exploit, and verified that it does in fact work as advertised against a fully patched Windows XP SP2 machine," the warning read.

Although the publicly-posted exploit only launches a copy of the Windows calculator, "replacing the shellcode in this exploit would be trivial even for an unskilled attacker," Symantec continued.

Danish vulnerability tracker Secunia, which Wednesday had tagged the bug as "highly critical," raised the bar to its highest-possible "extremely critical" rating.

Microsoft confirmed the severity of the bug and the success of the exploit in its own advisory, issued late Thursday.

"Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user," the Microsoft warning went.

Microsoft repeated a Wednesday promise to patch the bug, but still did not set a timetable. In rare cases, Microsoft has gone out-of-cycle to patch -- the most recent was early January -- but the company didn't promise that it would fix the flaw before the next scheduled date of April 11.

The published exploit could be used by attackers to add compromising code to malicious Web sites that would hijack PCs running IE 5.01, 6.0, and even the first iteration of IE 7 Beta 2 Preview.

Microsoft tried to downplay the danger by noting that users would have to be drawn to the malicious site, but that limitation has proved easy for hackers to hurdle. In December 2005, for instance, hundreds of sites compromised thousands of PCs using a different vulnerability to install spyware secretly in so-called "drive-by downloads."

Another attack angle, Microsoft said, could be Web advertisements. "It could also be possible to display specially crafted Web content by using banner advertisements," the advisory read.

Until the Redmond, Wash.-based developer releases a patch, IE users can protect themselves by disabling Active Scripting and/or increasing the browser's security settings to warn users before JavaScript runs.

Microsoft also said that the March edition of IE 7 Beta 2 Preview is immune to the bug.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
News
Achieving Techquilibrium: Get the Right Digital Balance
Jessica Davis, Senior Editor, Enterprise Apps,  10/22/2019
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll