UPDATED: Internet Explorer is again the target of an exploit. The latest,
prompting an investigation by Microsoft , could
allow hackers to take control of some un-patched PCs.
The attack code appears just days after Microsoft’s regular monthly patch releases, an increasingly common tactic by
malicious hackers.
“This vulnerability may allow an attacker to execute code on a user’s
machine by convincing them to visit a malicious Web site using
Internet Explorer,” according to a statement from a Microsoft
spokesperson.
The software giant released a security advisory suggesting Windows XP and Windows 2000 disable ActiveX and
active scripting features.
Windows 2003 is not affected, according to Microsoft.
Attackers can use a flaw in the multimedia-related ActiveX controls
and a specially crafted Web page.
However, Microsoft cautioned it is “not aware of any attacks
attempting to use the reported vulnerability or of customer impact at
this time.”
The exploit is rated as “critical” for IE 5.01 and 6 users, according
to the French Security Incident Response Team (FrSIRT).
Microsoft said it “will take the appropriate action,” including
possibly releasing an out-of-cycle security update.
The new reports
come just days after the company’s most recent patch release.
Microsoft released the third version of a “critical” combined patch addressing problems injected in previous attempts to correct a number of IE flaws.
Windows users will likely need to wait until October for a patch to
resolve this exploit, said Scott Carpenter, director of the
Security Labs at Secure Elements, a PC security vendor.
If there is a work-around for a problem, Microsoft won’t break from
its monthly patch cycle, Carpenter told internetnews.com.
Carpenter, who has tested the new IE exploit, said this makes the
third consecutive month where an exploit has followed a Microsoft patch.
“Patch Tuesday” has become part of the IT lexicon, said Andrew
Jaquith, a Yankee Group analyst. “Now, we’re seeing the emergence of another theme: ‘Zero-Day
Wednesday.’
As in this case, exploits are now less likely to depend on an
application’s vulnerability and instead rely on the security risk
between the keyboard and the seat, said Carpenter.
An increasing
number of exploits depend upon convincing people to visit a Web page,
where malicious files provide hackers access to PCs.