IE/Access Flaw Leaves Windows PCs Vulnerable

London-based security firm GFI has uncovered a flaw in Microsoft Corp.’s Internet Explorer browser and Microsoft Access 2000 that
could be used to automatically execute macros on a victim’s machine.

“It can be most dangerous to open an email which uses this exploit because it will run on any computer having Internet Explorer and
Microsoft Access 2000, which forms part of MS Office,” warned GFI Security Engineer Sandro Gauci. “Our tests on this email threat
showed that, in Outlook 2000, the embedded VBA code was executed automatically even within the High Security and Restricted Zone.
Such an email that contains malicious code could do almost anything on the recipient’s machine.”

The firm has already notified Microsoft, which put out a security bulletin on
Monday. Microsoft has released a patch for the flaw, available for download here.

The flaw in Internet Explorer allows a malicious user to run arbitrary code on a target machine as it attempts to view a Web site or
an HTML email, according to GFI. The company said a malicious hacker could exploit the flaw by embedding macro code such as VBA
within an Access database file (.mdb) that would in turn be nestled within an Outlook Express email file or Multipart HTML File

The flaw can be exploited through email by using an iframe tag in an HTML email or a () within a tag, allowing
IE to automatically access the exploit eml file. GFI said filtering all HTML email for JavaScript and similar scripting capabilities
and checking for IFRAME could prevent the exploit from running through email. The firm also recommended filtering out mdb files and
possibly blocking access to eml, mhtml and mht files through HTTP and email.

News Around the Web