By Patrick Gray, 29 September 2003 09:05
NEWS Security experts have warned that a vulnerability that has apparently been left un-patched by Microsoft is being exploited by attackers "in the wild". The 'object type' vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a web page. If the web page is viewed by an Internet Explorer browser - even a fully patched browser - the malicious code embedded in the web page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability. US-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild". "Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read. The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September. "Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems." Managing director of mail filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know." Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX." Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the 'Internet Zone'. Ironically, in order to patch the system through Microsoft's WindowsUpdate website when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet Zone. Patrick Gray writes for ZDNet Australia
Comments
There is 1 comment. Join the discussion
1. Peter Goodwin
Is it just me, or does anyone else think it would be a really good idea to detail the bulletin's name and number and possibly even include a link to it? I've read many of these articles referring to MS Bulletins and they hardly ever mention the name/number.
I know this is an oldish article, but the principle remains the same, and to be fair to Bloor/IT Director they are by no means alone on this omission. For reference the Microsoft Security Bulletin was "MS03-032", the Patch Number as "8229256" and it was entitled "Cumulative Patch for Internet Explorer (822925)".
It has since been updated on 3 October 2003 and superseded by "MS03-040 : Cumulative Patch for Internet Explorer (828750)" released 3 October 2003 and updated 6 October 2003.
And no, I don't work for Microsoft, but I do take the issue of patching seriously and maintain a separate list of all patches and relevant references and URL Links by “screenscraping” the title and pasting it in a simple spreadsheet that I update whenever a new patch is released.