IE COM Flaw Exposed MS Issues Advisory for New IE Vulnerability Sean Michael Kerner
Microsoft issues advisory for flaw after a security firm beats the company to the punch.
Just in time for your holiday weekend browsing, a new Microsoft Internet Explorer flaw has surfaced that could allow a hacker to take control of your PC.
A Microsoft advisory acknowledging the existence of the flaw was issued late yesterday after security firm SEC Consult published proof of concept code online.
The vulnerability stems from a COM (define) flaw (javaprxy.dll) that, according to the Microsoft security advisory, "could cause Internet Explorer to unexpectedly exit."
According to the advisory, Microsoft is investigating an exploitable condition of the vulnerability, which could potentially allow a hacker to run arbitrary code and take control of the compromised system.
SEC Consult claims it reported the vulnerability to Microsoft on June 17, which Microsoft responded to.
On June 29, Microsoft allegedly informed SEC Consult that the flaw was not exploitable. At that point, the security firm publicly released its own advisory, which includes a simple proof of concept code.
Microsoft's advisory notes that, "while this issue was first reported to Microsoft responsibly, details about the reported vulnerability have been
made public."
A Microsoft spokesperson was not immediately available for comment.
There is currently no patch for the vulnerability, which could potentially be executed from an attacker's HTML page that is embedded with certain code
that could trigger the COM flaw.
Until a patch is made available, Microsoft is recommending that users set their IE zone security settings for both Internet and intranets to "High."
