The Register has a story on a new security hole in Microsoft’s Internet Explorer browser and IIS web server. The security hole could let an attacker run code on any machine using IE or IIS, but what’s particularly scary about this one is that systems up to date with the latest patches may not be safe.
Normally, when an ActiveX control is vulnerable to an attack, Microsoft’s patch merely delivers a new, invulnerable control and sets a “Kill Bit” on the old one. Controls with set Kill Bits cannot be invoked by Internet Explorer. However, in this case it is not possible to set the Kill Bit without rendering countless web sites unreadable, Microsoft said.
A malicious attacker would be able to reintroduce the vulnerable control with just a specially HTML document. Users that have their browsers configured to trust Microsoft-signed ActiveX controls by default would have the vulnerability reintroduced without their knowledge.
Microsoft is working on a permanent fix, but what’s their suggested solution for now? Remove “Microsoft” from your browser’s list of trusted sites. Trustworthy computing indeed.
Share
