Within hours of Microsoft releasing its patch
last week to plug a hole in its Internet Explorer browser, a Dutch security expert posted code on his site
that revealed the patch
still leaks.
The so-called “insider” vulnerability that is still unpatched is similar to
the ADODB.Stream vulnerability in that it exists
inside of the ActiveX library of scripting feature components. The insider vulnerability is in
the Shell.Application component and essentially enables the same basic attack where a malicious
piece of code may be unwittingly downloaded via a Web site to a fully patched IE user’s computer.
Last Friday, Microsoft responded
to a security issue with the ADODB.Stream, which allowed for the widespread
transmission and infection of a Trojan known as
Download.Ject or Scob.
That Trojan was faulted for the attack
targeting
Microsoft Internet Information Services 5.0 users.
Microsoft’s browser has come under increasing criticism in recent weeks as flaw
after flaw has been reported by various security experts, leaving the company scurrying to patch holes.
Microsoft has posted an
information page
about Download.Ject, as well as updated its customers through its Windows Update site.
The company’s efforts weren’t
enough to stop the U.S. Computer Emergency Readiness
Team (US-CERT) from warning
computer users late last week to avoid using Internet Explorer altogether.
The much anticipated Windows XP Service Pack 2, expected in final release later this summer,
is set to feature a significant security overhaul for Internet Explorer.
Microsoft’s competitors in the browser space have noticed the company’s ActiveX-related security issues.
Mozilla, Opera and Apple announced an
initiative
to develop a new plugin standard that they hope will be more secure than Microsoft’s ActiveX implementation.