Network News

X My Profile
View More Activity

New Exploit for Unpatched IE Flaw

On Friday, Security Fix warned readers about an unpatched flaw in Microsoft's Internet Explorer Web browser that could let attackers take over your computer if you visit a malicious or hacked Web site. I'm blogging about it again to let readers know that at least two sets of programming instructions have been released that hackers can use to exploit the flaw to install whatever they want on vulnerable PCs.

In addition, I failed to mention in my first post that this flaw represents a serious security threat even for IE users who are otherwise following the basic security practices -- using a firewall, applying Microsoft patches, and staying current on the latest anti-virus software updates.

First off, there is no patch available yet from Microsoft to fix this problem. Second, because this is a browser flaw -- and browser Web traffic is configured by default in most firewalls to be allowed to pass in and out of the user's computer without interference -- even IE users who have properly configured a firewall are at risk. Third, many of today's virus threats disable anti-virus protection as the first order of business on a newly infected PC.

For those readers who insist on using Internet Explorer before a patch for this problem is made available, I would highly recommend following Microsoft's instructions on how to minimize the threat from this flaw (click on the "Workarounds" tab) -- however complex they may be.

Again, another solution is to try out a different browser, like Firefox, Netscape or Opera.

On this last piece of advice, I note with interest that the US Computer Emergency Readiness Team (US-CERT) -- the division of the Department of Homeland Security tasked with helping to educate businesses and consumers about staying safe online -- says nothing about using a different browser in its alert on this vulnerability.

By Brian Krebs  |  July 5, 2005; 2:57 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Warns of Browser Security Hole
Next: Microsoft Releases Fix for Serious IE Flaw

Comments

You should note that although this issue affects all versions of IE, the Microsoft Java Virtual Machine is not installed by default on Windows XP SP1 and higher, nor any version of Windows Server 2003.

MSJVM can still be installed by a third party application, or be left behind if the OS was upgraded from one that had the MSJVM.

A scan tool exists to see if your machine has MSJVM installed: http://www.microsoft.com/downloads/details.aspx?familyid=4e38f4f9-ce7e-4271-8836-a7d7293a992f&displaylang=en

While this is a serious vulnerability, there is a pretty good chance that you are not at risk if you are running one of the OSs listed above. The tool can tell you for sure.

Posted by: Matt | July 5, 2005 5:38 PM | Report abuse

One correction: MSJVM is not installed by default on XP SP1a and higher (and all versions of 2003).

Posted by: Matt | July 5, 2005 5:42 PM | Report abuse

MS has updated the Security Advisory to include a download to set the killbit for javaprxy.dll. According to MS, this will prevent IE from loading javaprxy.dll.

The download links are located under the Workarounds --> Disable the Javaprxy.dll COM object....

Posted by: Alex | July 5, 2005 6:16 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company