Microsoft Warns of IE Zero-Day Exploit

Microsoft releases a security advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting Internet Explorer users.

Microsoft late Thursday issued an advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting users of its Internet Explorer browser.

The release of the advisory comes less than 24 hours after the FrSIRT (French Security Incident Response Team) published a proof-of-concept exploit that could be used by malicious hackers to target IE users.

The flaw is described as an error in the way IE handles the "Msddds.dll" COM object.

Msdds.dll (Microsoft DDS Library Shape Control) is a COM object that could, when called from a Web page displayed in Internet Explorer, cause the browser to unexpectedly crash.

"This condition could potentially allow remote code execution if a user visited a malicious Web site. This COM Object is not marked safe for scripting and is not intended for use in Internet Explorer," Microsoft warned.

There is no patch available for the vulnerability and, because exploit code has already been released, incident handlers at the SANS ISC (Internet Storm Center) believe a widespread attack is very likely.

"We feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly," the Storm Center said in a daily incident diary entry.

Security alerts aggregator Secunia Inc. rates the vulnerability as "highly critical" and warned that a successful exploit may allow the execution of arbitrary code. However, a malicious hacker must first trick a user into visiting a specially crafted Web site to launch an attack.

According to Microsoft Corp.s advisory, an attacker could target the hole to "take complete control of the affected system."

/zimages/1/28571.gifClick here to read more about Microsoft shipping Killbit Workaround for IE Security Hole.

The Msdds.dll COM Object is used to provide a built-in shape for DDS Designer Surfaces. It is used by components such as Visual Studio Database Diagramming to provide a way to visualize database objects.

In addition to Microsoft Visual Studio .NET 2003, the COM object can be found in Office 2003 and Office XP, two widely used desktop productivity software programs.

Microsoft plans to release a security bulletin with patches for the flaw – either through the monthly update process or with an out-of-cycle release.


In the absence of a patch, the company has published detailed workarounds and mitigation guidance to help block known attack vectors:

  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones. This can be done via the Tools > Internet Options menu in IE. In the Security tab, select the Internet icon and move the security level slider to "High." If no slider is visible, click Default Level, and then move the slider to "High."
  • Change the IE settings to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone. In the Tools > Internet Options menu, click the security tab and click "custom level" from the Internet section. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK. The same changes can be made in the Local intranet section.
  • Disable the Msdds.dll COM object from running in Internet Explorer. This can be done by setting the kill bit for the control but Microsoft warns that incorrect use of the Registry Editor can cause serious OS problems.
  • Unregister the Msdds.dll COM object. Via Start > Run, type "regsvr32 /u Msdds.dll" (without the quotation marks), and then click OK. A dialog box appears to confirm that the unregistration process was successful. The browser must be closed and reopened for the changes to take effect. Microsoft cautions that this process may cause problems for applications that require the COM object.

The software giant has also activated an RSS feed for its security advisories to help customers keep track of threat warnings.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.