Microsoft Warns of IE Zero-Day Exploit
Microsoft late Thursday issued an advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting users of its Internet Explorer browser.
The release of the advisory comes less than 24 hours after the FrSIRT (French Security Incident Response Team) published a proof-of-concept exploit that could be used by malicious hackers to target IE users.
The flaw is described as an error in the way IE handles the "Msddds.dll" COM object.
Msdds.dll (Microsoft DDS Library Shape Control) is a COM object that could, when called from a Web page displayed in Internet Explorer, cause the browser to unexpectedly crash.
"This condition could potentially allow remote code execution if a user visited a malicious Web site. This COM Object is not marked safe for scripting and is not intended for use in Internet Explorer," Microsoft warned.
There is no patch available for the vulnerability and, because exploit code has already been released, incident handlers at the SANS ISC (Internet Storm Center) believe a widespread attack is very likely.
"We feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly," the Storm Center said in a daily incident diary entry.
Security alerts aggregator Secunia Inc. rates the vulnerability as "highly critical" and warned that a successful exploit may allow the execution of arbitrary code. However, a malicious hacker must first trick a user into visiting a specially crafted Web site to launch an attack.
According to Microsoft Corp.s advisory, an attacker could target the hole to "take complete control of the affected system."
The Msdds.dll COM Object is used to provide a built-in shape for DDS Designer Surfaces. It is used by components such as Visual Studio Database Diagramming to provide a way to visualize database objects.
In addition to Microsoft Visual Studio .NET 2003, the COM object can be found in Office 2003 and Office XP, two widely used desktop productivity software programs.
Microsoft plans to release a security bulletin with patches for the flaw either through the monthly update process or with an out-of-cycle release.
In the absence of a patch, the company has published detailed workarounds and mitigation guidance to help block known attack vectors:
The software giant has also activated an RSS feed for its security advisories to help customers keep track of threat warnings.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.