Researcher: IE Cumulative Patch Inadequate

Security research firm Secunia has
recommended that users of Microsoft’s Internet Explorer browser disable ActiveX controls and plugins to protect against a variant of the “Object Data”
vulnerability.

The Secunia warning comes just one week after Microsoft issued a cumulative patch for the IE browser that carried a
‘critical’ rating.

However, in a special update, Secunia said Microsoft’s cumulative patch
was not adequate and warned that exploitation of the most serious security
hole was already discovered in the wild. “Analysis shows that the exploit
installs a program called ADPlus module or SurferBar, which is added to a
users
Internet Explorer and contains links to various porn sites,” the company
cautioned.

“The “Object Data” vulnerability is straightforward to exploit. In many
ways, this vulnerability is similar to [a previous flaw] which was exploited
by notorious viruses like Nimda, Badtrans and Klez,” the company said.

Efforts to contact Microsoft were not successful at press time.

To protect against the vulnerability, IE users should disable Active
Scripting until Microsoft provides a comprehensive fix.

Secunia said the “Object Data” hole can be targeted via e-mail or
specially-crafted Web sites to allow execution of arbitrary code on the
client system.

To determine the safety of an object, the IE browser interprets the file
extension specified in the “Object Data” tag. “This allows a malicious
person to specify a “safe” file with eg. a “.html” extension in “Object
Data”, which causes Internet Explorer to interpret it as a “safe” file, the
company explained. However, when the file is retrieved by IE, the
“Content-Type” header determines how the file will be treated. “This allows
an executable file like a “.hta” file to be treated as a “safe” file and be
executed silently without restrictions,” Secunia warned.

The flaw, which Secunia described as “extremely critical,” affects
Microsoft IE versions 5.01, 5.5 and 6.0.