Zero-day exploits are among the most traumatic events on the IT security
landscape because they come without warning and by definition have no fix.
With the specter of such an exploit budding on Friday by a French
security firm claiming that it found such an exploit in Microsoft’s Internet
Explorer, Microsoft quickly issued an advisory with workaround information.
French security firm FrSIRT titled the exploit, “Microsoft Internet
Explorer “Msdds.dll” Remote Code Execution Exploit” and publicly posted
Proof of Concept code on its Website in order to backup its claim.
An FrSIRT
spokesperson told internetnews.com that an anonymous researcher who sent the exploit to FrSIRT first discovered the vulnerability.
FrSIRT did not first alert Microsoft about the vulnerability, which
Microsoft does not consider to be responsible disclosure.
“We continue to encourage responsible disclosure of vulnerabilities,”
Microsoft’s advisory on the issue states. “We believe the commonly accepted
practice of reporting vulnerabilities directly to a vendor serves everyone’s
best interests. This practice helps to ensure that customers receive
comprehensive, high-quality updates for security vulnerabilities without
exposure to malicious attackers while the update is being developed.”
FrSIRT’s spokesperson explained that the researcher who discovered the
issue decided to publicly disclose it. In accordance with FrSIRT’s
disclosure policy, the firm verified the information and then published the
exploit on the FrSIRT website.
Microsoft Security Advisory (906267) said Microsoft is investigating the issue and is currently unaware of any attacks
using the exploit.
The advisory explains that the Msdds.dll COM “This condition could potentially allow remote code execution if a user In fact, in the mitigating factors section of Microsoft’s advisory, the company said According to a US-CERT Microsoft has offered a number of workaround in its advisory to further
from a Web page viewed with IE could case IE “to unexpectedly exit.”
visited a malicious Web site,” the advisory states. “This COM Object is not
marked safe for scripting and is not intended for use in Internet Explorer.”
only IE users with the affected COM object (Msdds.dll versions
7.0.6064.9112 and 7.0.9466.0) are vulnerable.
advisory on the issue (http://www.kb.cert.org/vuls/id/740372) IE users that
have Visual Studio .NET 2002 installed on their systems are the users that
are likely at risk. The at risk version of Msdds.dll does not ship with
Microsoft Windows and is not part of Microsoft Office either.
mitigate risk. Those workarounds include:
before running ActiveX controls in these zones;
controls in the Internet and Local intranet security zone;
from running in Internet Explorer;