Sunday, September 17, 2006

IE At Risk To New Unpatched Bug

Exploit code for an unpatched vulnerability in Microsoft's Internet Explorer is circulating, a security company said Friday, but the danger remains low as the current attack only crashes the browser.

Fully-patched Windows XP SP2 and Windows 2000 SP4 systems are open to the new attack, said David Cole, director of Symantec's security response group. "This is proof-of-concept code, we haven't seen any active exploits," said Cole. "Whether it grows into something bigger is heavily linked to if it gets remote code execution [capabilities]," he added.

The news comes just three days after Microsoft released its newest security updates. On Tuesday, however, the company's browser was not patched; an August fix that ended up being released three different times, most recently this week, was the last IE update.

There is no patch now available for the bug, which Microsoft acknowledged it is investigating. In a security advisory issued Thursday, the Redmond, Wash. developer said that it would either release a patch in its regularly-scheduled monthly update, or as an out-of-cycle fix. Windows Server 2003 is not at risk.

The new IE problem is related to an ActiveX control (Microsoft DirectAnimation Path) that's part of the "daxctle.ocx" COM object. An attacker who successfully exploited the vulnerability could hijack the computer, Microsoft acknowledged, without any interaction once a user had been enticed to a malicious Web site.

Microsoft patched ActiveX controls several times last year as attackers discovered that Windows wasn't properly checking to see whether data passed to controls was within allowed parameters. In the case of the proof-of-concept code now available, JavaScript passes unacceptable data to the control, which then results in a heap overflow.

Cole said it wasn't a shock that ActiveX continues to have issues. "The more functionality [in code], the more likely there's an error in it," he said. "Complexity is the enemy of security. It's a difficult problem to solve. Developers try to balance rich functionality with security."

Even though an actual in-the-wild exploit has not been spotted, some security organizations sounded the alarm. Danish vulnerability tracker Secunia, for example, ranked the IE flaw as "Extremely critical, it's more serious warning.

With a patch unavailable, Symantec recommended that users check out Microsoft's advice, which included setting the "kill bit" for the ActiveX control to disable it. That, however, requires users to edit the Windows Registry, something many are unprepared to do. In the past, Microsoft's suggestions to set specific kill bits have been taken up by third-party researchers, who have cranked out automated tools for turning off the control.

Another tactic, said Microsoft, is to disable all ActiveX controls in Internet Explorer from the dialog that appears after selecting Tools|Internet Options.

Internet Explorer 7, which Microsoft will release later this year for Windows XP (and early next bundled with Windows Vista), may stymie similar vulnerabilities in the future, said Cole. "There's some promising signs," said Cole, "but to think that IE 7 will eliminate all these vulnerabilities is ignoring the history of computer security."

In fact, there are growing signs that attackers may soon target Web 2.0 applications written in Ajax. Among Ajax-based sites and services, Cole counted the popular social network MySpace, as well as new versions of Web-based e-mail from Microsoft and Yahoo.

"We're already seen a little bit of interest," said Cole. "The MySpace worm, and the Yamanner worm that attacked Yahoo Mail [in June]. They're not being exploited rampantly, but then neither is Ajax being used widespread.

"We'll find out a lot more about how vulnerability Ajax is in the not-too-distant future."

Source - Tech Web