Microsoft Confirms Code Execution Hole in IE

A security advisory from Redmond acknowledges that an Internet Explorer vulnerability could be potentially exploited by malicious hackers to take "complete control of the affected system."

Microsoft late Thursday confirmed a security flaw in its dominant Internet Explorer browser could be potentially exploited by malicious hackers to take "take complete control of the affected system."

The software giant released a security advisory acknowledging the vulnerability and recommended that IE users set Internet and local intranet security zone settings to "High" before running ActiveX controls in these zones.

All supported versions of Internet Explorer, including IE 6.0 in Windows XP SP 2 (Service Pack 2) are affected.

Microsoft Corp.s confirmation comes less than 24 hours after private security research firm SEC Consult published a working exploit to show that the bug could be exploited to crash the browser or execute arbitrary code in the context of IE.

Microsoft said it was not aware of any attacks attempting to use the reported vulnerability or customer impact and promised a patch would be made available once an investigation is completed.

"A COM object, javaprxy.dll, when instantiated in Internet Explorer can cause Internet Explorer to unexpectedly exit. We are investigating a potentially exploitable condition," Microsoft said in the advisory.

The company said a successful attacker could exploit the flaw by creating a malicious Web page and persuading the user to visit the page.

"An attacker could also attempt to compromise a Web site to have it display a Web page with malicious content to try to exploit this vulnerability."

Microsoft accused SEC Consult of publishing details and proof-of-concept that put customers at risk. However, the research outfit said it only posted the details after Microsoft said it could not confirm the existence of the flaw.

"Microsoft [did] not confirm the vulnerability, as their product team can not reproduce condition," SEC Consult said in an advisory. After the publication of SEC Consults advisory, Microsoft later reproduced the issue and posted its advisory.


In the absence of a patch, Microsoft recommends the following:

Raise the browsing security level in Microsoft Internet Explorer, via Tools > Internet Options > Security Tab > Internet icon.

"Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. If no slider is visible, click Default Level, and then move the slider to High."

More information on suggestion actions is available in Microsofts security advisory.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.