[ news_security_news ]
Temporary Patch Released For IE Flaw
SecurityProNews
Staff Writer
2006-03-29
 Insider Reports RSS Feed
A highly critical exploit is circulating via a flaw in Microsoft's Internet Explorer (IE) Web browser. Until Microsoft releases its own patch, eEye Digital Security has released it's own downloadable one.
This serious zero-day vulnerability affects Internet Explorer versions 5.01 SP4 through 6.0 SP1 that run on the following Windows operating systems: Windows NT 4.0, Windows 98 and 98 ME, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003.
Exploitable via Web surfing, email and instant messaging, several versions of the exploit are already in the wild and are actively being used maliciously. The vulnerability results from the method in which Internet Explorer handles HTML Objects. This flaw allows for remote code to be executed on the target system. If successfully exploited, an attacker will only have the rights of the currently logged on user.
System administrators should be careful to not use Administrator accounts for general system use. Currently, there have been numerous reports of this vulnerability being used on various Websites in attempts to install spyware and remote control "bot" software for use in Distributed Denial of Service (DDoS) attacks.
The recommended action required to protect systems against this attack is to disable Active Scripting from within Internet Explorer. Users can disable Active Scripting within Internet Explorer locally or across an entire Active/Directory/Domain using GPO. System administrators should reference the appropriate Microsoft Support Bulletins.
eEye Digital Security released a couple of ways for businesses to protect themselves against these exploits. The company recommends its own Blink product for protection against this flaw, or downloading a temporary patch.
"This is a critical vulnerability that needs to be addressed immediately and, in the interests of our customers, we made the decision to release a temporary patch in addition to ensuring that Blink protects against the flaw," said Marc Maiffret, eEye's co-founder and chief hacking officer.
"Users can protect themselves by manually making configuration changes, but eEye realizes that not all organizations can take those steps. As a result, organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation."
eEye's patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix. The patch to automatically remove itself when Microsoft's official patch comes available.
Blink customers aren't required to do anything to realize protection from this flaw, as no updates or policy changes are required.
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
