Denmark-based security firm Secunia has
upgraded a warning issued last year
regarding a known vulnerability for computer users running Windows XP
Service Pack 2 and Internet Explorer (IE) 6.0 from “highly” to “extremely”
critical, according to an advisory published Friday.
It’s an update to an advisory first
issued Oct. 20, 2004, which found the combined use of an HTML Help
control flaw and a drag-and-drop vulnerability bypassed the “Local Computer”
zone lockdown security feature in XP SP2.
The vulnerability affects Web surfers who visit a Web site where an attacker
has manipulated the site to use the ActiveX Data Object (ADO) model to write
arbitrary files onto the user’s computer without the person’s knowledge.
Microsoft had already released a
patch for the drag-and-drop vulnerability, but officials were assessing
the combo vulnerability’s impact before deciding whether to issue a patch.
At the time, officials said installing the patch and disabling the “drag and
drop or copy and paste files” option would be enough to prevent the
vulnerability.
Microsoft officials said the Secunia advisory doesn’t bring anything new to the table.
“This new report describes an exploit that takes advantage of two previously reported
vulnerabilities in Internet Explorer,” a statement by Microsoft reads. “Microsoft is
currently working on an update to address these vulnerabilities. Customers who have
followed our Safe Browsing guidance and have set their Internet Security zone settings
to ‘high’ are not impacted by this vulnerability. Enterprise administrators who have
restricted access to the ‘startup’ folder on their network client computers are at a
reduced risk from this vulnerability.”
Secunia also learned about a second HTML Help control flaw, a variant of the
first control flaw that creates a security site/zone restriction error in
the handling of the “Related Topics” command. Officials originally believed
the control flaw only worked in conjunction with the drag-and-drop flaw, but
have now found it can be used to facilitate an exploit on its own. Attacks
against this vulnerability are now much easier to perpetrate, said Thomas
Kristensen, Secunia CTO.
“So there is definitely a very good reason to take this very seriously and
consider what actions you want to take against this vulnerability,” he said.
“I think this is the worst vulnerability we have seen in Internet Explorer
on Windows XP, XP [SP] 2 so far, so that alone makes it more interesting,
unfortunately.”
Kristensen said the advisory was specific to Windows XP users with SP 2, but
believes earlier versions of the software may be affected, as well.
Secunia officials recommend users switch to another type of browser until
Microsoft comes up with a fix. Alternatively, they suggest users follow
Microsoft’s advice and disable the “drag and drop or copy and paste files”
feature in IE and set the security level to “high.”
Secunia also posted a
test application
for Windows XP SP 2 and IE 6.0 users to
determine whether their systems are vulnerable.