Microsoft warns over serious, unpatched Internet Explorer bug in XP

July 7, 2009
by John Lister

Microsoft warns over serious, unpatched Internet Explorer bug in XPMicrosoft has warned anyone using Windows XP or Server 2003 to apply a workaround to a serious security problem in Internet Explorer. The issue, which doesn’t yet have a patch for a permanent solution, is already being exploited by hackers.

The issue involves a particular function of the ActiveX Control used for processing video. Microsoft says the function has “no by-design uses” in Internet Explorer. The exploit allows the hacker to have the same administrative rights as the active user when the attack is triggered, which effectively gives them remote control of a machine.

The machines vulnerable to the attack are those running Windows XP, or those running Windows Server 2003 without the default Enhanced Security Configuration mode. The attack is launched simply by the user visiting an infected Web page; a Microsoft engineer described it as a “browse-and-get-owned attack vector”.

While Internet Explorer 8 blocks the attack, and it can’t be triggered through links in Outlook or Outlook Express messages, users who either visit the site directly in Internet Explorer 6 or 7, or follow a link from an e-mail, are vulnerable.

Microsoft is working on a permanent solution to the problem which it says will be released once it’s of adequate quality. At this stage the chances are it will be released as part of next week’s monthly “Patch Tuesday” update.

In the meantime, given that the function serves no purposes, Microsoft recommends applying 45 kill bits. These are instructions in the Windows Registry to not used a particular aspect of ActiveX. As editing the registry is not a task for the faint-hearted, Microsoft has issued an automatic tool to do this at http://support.microsoft.com/kb/972890#FixItForMe

While there’s no evidence of this happening yet, past incidents suggest it’s possible other hackers may attempt to exploit the incident by creating pages which appear high on the rankings for related searches and using them to distribute viruses disguised as the Microsoft tool. For this reason users should only download the tool directly from Microsoft’s site.

  • Facebook
  • Twitter
  • Digg
  • Fark
  • Technorati
  • del.icio.us


Related Posts:

Posted in Security, internet explorer, xp | 3 Comments » Read more from John Lister

3 Responses to “Microsoft warns over serious, unpatched Internet Explorer bug in XP”

  1. Ralph:
    July 7th, 2009

    Should anyone be surprised? Use Firefox if you still run Windows.

    For really safe surfing use one of those LIVE CD’s that are made by Ubuntu or Fedora. Pop in the LIVE CD turn on your computer and surf till the cows come home.

  2. The Big M:
    July 13th, 2009

    Or use IE8 as the article says.

  3. Carl Jackson:
    July 20th, 2009

    Yes, IE6 has created enough problems for the windows XP users

Leave a Reply:


Recent stories

Featured stories

Copyright © 2010 Blorge.com