RealTime IT News

Hackers Attack ActiveX Flaw in IE

UPDATED: Internet Explorer is again the target of an exploit. The latest, prompting an investigation by Microsoft , could allow hackers to take control of some un-patched PCs.

The attack code appears just days after Microsoft's regular monthly patch releases, an increasingly common tactic by malicious hackers.

"This vulnerability may allow an attacker to execute code on a user's machine by convincing them to visit a malicious Web site using Internet Explorer," according to a statement from a Microsoft spokesperson.

The software giant released a security advisory suggesting Windows XP and Windows 2000 disable ActiveX and active scripting features.

Windows 2003 is not affected, according to Microsoft.

Attackers can use a flaw in the multimedia-related ActiveX controls and a specially crafted Web page.

However, Microsoft cautioned it is "not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

The exploit is rated as "critical" for IE 5.01 and 6 users, according to the French Security Incident Response Team (FrSIRT).

Microsoft said it "will take the appropriate action," including possibly releasing an out-of-cycle security update.

The new reports come just days after the company's most recent patch release.

Microsoft released the third version of a "critical" combined patch addressing problems injected in previous attempts to correct a number of IE flaws.

Windows users will likely need to wait until October for a patch to resolve this exploit, said Scott Carpenter, director of the Security Labs at Secure Elements, a PC security vendor.

If there is a work-around for a problem, Microsoft won't break from its monthly patch cycle, Carpenter told internetnews.com.

Carpenter, who has tested the new IE exploit, said this makes the third consecutive month where an exploit has followed a Microsoft patch.

"Patch Tuesday" has become part of the IT lexicon, said Andrew Jaquith, a Yankee Group analyst. "Now, we're seeing the emergence of another theme: 'Zero-Day Wednesday.'

As in this case, exploits are now less likely to depend on an application's vulnerability and instead rely on the security risk between the keyboard and the seat, said Carpenter.

An increasing number of exploits depend upon convincing people to visit a Web page, where malicious files provide hackers access to PCs.