Researcher: IE Cumulative Patch Inadequate
Secunia is warning that a variant of the 'Object Data' vulnerability is being actively exploited.
Security research firm Secunia has recommended that users of Microsoft's Internet Explorer browser disable ActiveX controls and plugins to protect against a variant of the "Object Data" vulnerability.
The Secunia warning comes just one week after Microsoft
issued a cumulative patch for the IE browser that carried a
However, in a special update, Secunia said Microsoft's cumulative patch was not adequate and warned that exploitation of the most serious security hole was already discovered in the wild. "Analysis shows that the exploit installs a program called ADPlus module or SurferBar, which is added to a users Internet Explorer and contains links to various porn sites," the company cautioned."The "Object Data" vulnerability is straightforward to exploit. In many ways, this vulnerability is similar to [a previous flaw] which was exploited by notorious viruses like Nimda, Badtrans and Klez," the company said.
Efforts to contact Microsoft were not successful at press time.
To protect against the vulnerability, IE users should disable Active Scripting until Microsoft provides a comprehensive fix.
Secunia said the "Object Data" hole can be targeted via e-mail or specially-crafted Web sites to allow execution of arbitrary code on the client system.
To determine the safety of an object, the IE browser interprets the file extension specified in the "Object Data" tag. "This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file, the company explained. However, when the file is retrieved by IE, the "Content-Type" header determines how the file will be treated. "This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions," Secunia warned.
The flaw, which Secunia described as "extremely critical," affects Microsoft IE versions 5.01, 5.5 and 6.0.