IE COM Flaw Exposed

Just in time for your holiday weekend browsing, a new Microsoft Internet
Explorer flaw has surfaced that could allow a hacker to take control of your
PC.

A Microsoft advisory acknowledging the existence of the flaw was issued
late yesterday after security firm SEC Consult published proof of
concept code online.

The vulnerability stems from a COM flaw
(javaprxy.dll) that, according to the Microsoft security advisory, “could
cause Internet Explorer to unexpectedly exit.”

According to the advisory, Microsoft is investigating an exploitable
condition of the vulnerability, which could potentially allow a hacker to run
arbitrary code and take control of the compromised system.

SEC Consult claims it reported the vulnerability to
Microsoft on June 17, which Microsoft responded to.

On June 29, Microsoft allegedly informed SEC Consult that the flaw was not
exploitable. At that point, the security firm publicly released its own
advisory, which includes a simple proof of concept code.

Microsoft’s advisory notes that, “while this issue was first reported to
Microsoft responsibly, details about the reported vulnerability have been
made public.”

A Microsoft spokesperson was not immediately available for comment.

There is currently no patch for the vulnerability, which could potentially
be executed from an attacker’s HTML page that is embedded with certain code
that could trigger the COM flaw.

Until a patch is made available, Microsoft is recommending that users set
their IE zone security settings for both Internet and intranets to
“High.”

News Around the Web