An attacker could craft a malicious Web site that takes advantage of the flaw and gain control over the PCs that visit the Web site, or an attacker could install malicious software on those systems, a representative of the French Security Incident Response Team said in an e-mail interview Wednesday. The organization rates the issue "critical," its most serious classification.
Exploit code for the flaw is available on the Internet, according to the French security research group. The availability of exploit code typically raises the risk to users because it could aid miscreants in setting up attacks.
Microsoft is investigating the report of the new IE flaw, a company representative said in a statement late Wednesday. The software maker is not aware of attacks that use the reported flaw, the representative said. After the investigation, Microsoft will take the appropriate action to protect users, which could include a security update, she said. The company issued an advisory outlining workarounds for the issue on Thursday.
Internet security monitoring company Websense has added detection mechanisms for this latest potential IE flaw to its software. As of Wednesday afternoon the company had not found any malicious Web sites that take advantage of it, said Dan Hubbard, senior director of security and research at Websense in San Diego.
The flaw is similar to security vulnerabilities Microsoft fixed as part of its monthly patch release last week and in July, according to representative for the French Security Incident Response Team. The problem exists because IE inappropriately lets Web sites instantiate other pieces of Microsoft software on the PC.
It is not clear which users may be at risk. Exploiting this flaw requires a file called "Msdds.dll" to be present on the Windows PC. The French group is still investigating how common that file is. It appears to be installed with Microsoft's Visual Studio developer tools, but it may also be installed with more common software, the group's representative said.
"Microsoft said that this library is installed with Visual Studio, but we do not have Visual Studio installed on our lab machines," the representative said. The group has confirmed the vulnerability on a system with IE 6 on Windows XP with Service Pack 2 and all current patches, this person said.
On Thursday morning, FrSIRT said the exploitable library is also installed with Microsoft Office 2002. "Conclusion: msdds.dll is installed, at least, with Office 2002 and Visual Studio 2002 and 2003," the group said in an e-mail.
Other applications also install the file, the SANS Internet Storm Center said Thursday on its Web site. Applications that may also install this component include Microsoft's .Net Framework 1.1, Office 2000 and Office XP, Project and Visio, the SANS Internet Storm Center said.
IE users can protect themselves by not surfing to untrusted Web sites or disabling ActiveX controls. Using an alternative browser that does not support ActiveX, such as Firefox, also prevents this specific attack, according to SANS and FrSIRT.
Meanwhile, Websense has found Web sites that exploit security flaws Microsoft offered patches for last week and in July. The malicious code embedded in the Web sites installs a backdoor on the computer of the person who visits it with IE on a vulnerable Windows computer, Hubbard said.
There are "a couple of dozen" sites that exploit the IE flaw disclosed last week in Microsoft Security Bulletin MS05-038, according to Websense. The hole fixed with Security Bulletin MS03-037 a month ago is exploited by a couple of hundred Web sites, Hubbard said.
Microsoft rated both those fixed flaws "critical" and has urged users to apply software patches.
