- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
Security experts are warning Microsoft customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser, potentially allowing remote attackers to run malicious code on vulnerable machines.
The vulnerability is similar in scope to those exploited by devastating worms such as Nimda, Badtrans and Klez, according to one security company. And, to make matters worse, the flaw is one Microsoft said it fixed weeks ago.
The security hole, known as the "Object Data vulnerability," affects Internet Explorer (IE) versions 5.01, 5.5 and 6.0. It concerns the way that IE processes HTML pages containing a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's machine. No user actions would be required aside from opening an e-mail message or visiting a Web page containing the attack.
On Aug.20, Microsoft released a patch for IE, MS03--032, that it said closed the hole, in addition to patching other security holes in IE.
According to a message posted to a prominent security discussion group Sunday, however, the vulnerability still exists on machines using IE even after applying the patch.
That message, posted by an individual using the name "http-equiv@excite.com," contained sample code that showed IE is still vulnerable to attack using the vulnerability from HTML pages that are created dynamically using computer script, like JavaScript, embedded in Web pages or e-mail messages.
A Microsoft spokesman confirmed that the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin.
However, Microsoft still recommends that customers install that patch, he said.
The software giant is not aware of any customers who have been attacked using the vulnerability, he said.
However, security researchers know of at least one exploitation of the Object Data vulnerability that is already circulating on the Internet, according to a statement by security company Secunia of Copenhagen, Denmark.
An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, "drg.exe," that installs a file called "surferbar.dll" onto the victim's computer, according to the Secunia alert.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment