Newly patched browser vulnerable to more malware.
Microsoft
‘s beleaguered
Internet Explorer
browser is once again the subject of security worries, as another fully functioning exploit is unveiled.
The vulnerability, first publicised in July as part of H. D. Moore of
Metasploit
‘s ‘Month of Browser Bugs’, was originally exploited only by a DoS attack that crashed the browser. Now Moore has released details of a new exploit capable of launching arbitrary code on fully patched machines.
The flaw is in the ActiveX control ‘WebViewFolderIcon’. Many malicious sites are reported to be making use of the exploit.
Secunia
has rated the flaw as ‘extremely critical’ and
SANS
went to yellow alert status after numerous reports, with both websites and ecards carrying exploit code.
‘This latest stream of bugs is causing serious damage to
IE
‘s already bad reputation,’ said John Hawes, Technical Consultant at Virus Bulletin. ‘
Microsoft
must be hoping
Vista
and
IE7
will prove more resilient, but the odds already look to be pretty heavily stacked against them.’
The
Secunia
alert is
here
, and one from
USCert
is
here
. A
Microsoft
advisory,
here
, points out that users of
Windows Server 2003
should be safe from the attacks.
Posted on 02 October 2006 by
Virus Bulletin
Leave a Reply