Wednesday, August 23, 2006

Is Your Windows Open?

From eEye Digital Security:


August 22, 2006

Recent Internet Explorer Security Update Opens Windows Users to Attack

The flaw in the cumulative update, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1.

Overview
On August 8th, Microsoft released a cumulative update for Internet Explorer 6 Service Pack 1 (MS06-042). By the following day, users and businesses began to notice that the update caused Internet Explorer to crash when browsing some websites.

On August 11th, Microsoft created a knowledgebase article which mentioned problems with the MS06-042 patch, and how Internet Explorer can crash when viewing web pages that use compression. The knowledgebase article failed to mention that the bug is not just a crash, but in fact is something that an attacker can use to remotely compromise PCs. The article also referenced a hotfix for the issue which can be requested through Microsoft Product Support Services.

As of today, August 22nd, technical details of this vulnerability are not public, but it is safe to assume that a savvy attacker can discover the underlying issue and exploit it via a malicious website. eEye is warning its customers to be aware of the risk, and to contact Microsoft Support to obtain the hotfix.

More information on this issue and links to the Microsoft Support documents can be found on the eEye Research Portal.

No comments: