Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News

      Microsoft Warns of IE Zero-Day Exploit

      By
      Ryan Naraine
      -
      August 18, 2005
      Share
      Facebook
      Twitter
      Linkedin

        Microsoft late Thursday issued an advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting users of its Internet Explorer browser.

        The release of the advisory comes less than 24 hours after the FrSIRT (French Security Incident Response Team) published a proof-of-concept exploit that could be used by malicious hackers to target IE users.

        The flaw is described as an error in the way IE handles the “Msddds.dll” COM object.

        Msdds.dll (Microsoft DDS Library Shape Control) is a COM object that could, when called from a Web page displayed in Internet Explorer, cause the browser to unexpectedly crash.

        “This condition could potentially allow remote code execution if a user visited a malicious Web site. This COM Object is not marked safe for scripting and is not intended for use in Internet Explorer,” Microsoft warned.

        There is no patch available for the vulnerability and, because exploit code has already been released, incident handlers at the SANS ISC (Internet Storm Center) believe a widespread attack is very likely.

        “We feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly,” the Storm Center said in a daily incident diary entry.

        Security alerts aggregator Secunia Inc. rates the vulnerability as “highly critical” and warned that a successful exploit may allow the execution of arbitrary code. However, a malicious hacker must first trick a user into visiting a specially crafted Web site to launch an attack.

        According to Microsoft Corp.s advisory, an attacker could target the hole to “take complete control of the affected system.”

        /zimages/1/28571.gifClick here to read more about Microsoft shipping Killbit Workaround for IE Security Hole.

        The Msdds.dll COM Object is used to provide a built-in shape for DDS Designer Surfaces. It is used by components such as Visual Studio Database Diagramming to provide a way to visualize database objects.

        In addition to Microsoft Visual Studio .NET 2003, the COM object can be found in Office 2003 and Office XP, two widely used desktop productivity software programs.

        Microsoft plans to release a security bulletin with patches for the flaw – either through the monthly update process or with an out-of-cycle release.

        PRE-PATCH WORKAROUNDS:

        In the absence of a patch, the company has published detailed workarounds and mitigation guidance to help block known attack vectors:

        • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones. This can be done via the Tools > Internet Options menu in IE. In the Security tab, select the Internet icon and move the security level slider to “High.” If no slider is visible, click Default Level, and then move the slider to “High.”
        • Change the IE settings to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone. In the Tools > Internet Options menu, click the security tab and click “custom level” from the Internet section. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK. The same changes can be made in the Local intranet section.
        • Disable the Msdds.dll COM object from running in Internet Explorer. This can be done by setting the kill bit for the control but Microsoft warns that incorrect use of the Registry Editor can cause serious OS problems.
        • Unregister the Msdds.dll COM object. Via Start > Run, type “regsvr32 /u Msdds.dll” (without the quotation marks), and then click OK. A dialog box appears to confirm that the unregistration process was successful. The browser must be closed and reopened for the changes to take effect. Microsoft cautions that this process may cause problems for applications that require the COM object.

        The software giant has also activated an RSS feed for its security advisories to help customers keep track of threat warnings.

        /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

        Ryan Naraine
        Get the Free Newsletter!
        Subscribe to Daily Tech Insider for top news, trends & analysis
        This email address is invalid.
        Get the Free Newsletter!
        Subscribe to Daily Tech Insider for top news, trends & analysis
        This email address is invalid.

        MOST POPULAR ARTICLES

        Latest News

        Zeus Kerravala on Networking: Multicloud, 5G, and...

        James Maguire - December 16, 2022 0
        I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
        Read more
        Applications

        Datadog President Amit Agarwal on Trends in...

        James Maguire - November 11, 2022 0
        I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
        Read more
        IT Management

        Intuit’s Nhung Ho on AI for the...

        James Maguire - May 13, 2022 0
        I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
        Read more
        Applications

        Kyndryl’s Nicolas Sekkaki on Handling AI and...

        James Maguire - November 9, 2022 0
        I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
        Read more
        Cloud

        IGEL CEO Jed Ayres on Edge and...

        James Maguire - June 14, 2022 0
        I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
        Read more
        Logo

        eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

        Facebook
        Linkedin
        RSS
        Twitter
        Youtube

        Advertisers

        Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

        Advertise with Us

        Menu

        • About eWeek
        • Subscribe to our Newsletter
        • Latest News

        Our Brands

        • Privacy Policy
        • Terms
        • About
        • Contact
        • Advertise
        • Sitemap
        • California – Do Not Sell My Information

        Property of TechnologyAdvice.
        © 2022 TechnologyAdvice. All Rights Reserved

        Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

        ×