The Web    Google
Researcher: IE Cumulative Patch Inadequate

Researcher: IE Cumulative Patch Inadequate
September 8, 2003
Ryan NaraineBy

Security research firm Secunia has recommended that users of Microsoft's Internet Explorer browser disable ActiveX controls and plugins to protect against a variant of the "Object Data" vulnerability.

The Secunia warning comes just one week after Microsoft (, ) issued a cumulative patch for the IE browser that .

However, in a special update, Secunia said Microsoft's cumulative patch was not adequate and warned that exploitation of the most serious security hole was already discovered in the wild. "Analysis shows that the exploit installs a program called ADPlus module or SurferBar, which is added to a users Internet Explorer and contains links to various porn sites," the company cautioned.

"The "Object Data" vulnerability is straightforward to exploit. In many ways, this vulnerability is similar to [a previous flaw] which was exploited by notorious viruses like Nimda, Badtrans and Klez," the company said.

Efforts to contact Microsoft were not successful at press time.

To protect against the vulnerability, IE users should disable Active Scripting until Microsoft provides a comprehensive fix.

Secunia said the "Object Data" hole can be targeted via e-mail or specially-crafted Web sites to allow execution of arbitrary code on the client system.

To determine the safety of an object, the IE browser interprets the file extension specified in the "Object Data" tag. "This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file, the company explained. However, when the file is retrieved by IE, the "Content-Type" header determines how the file will be treated. "This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions," Secunia warned.

The flaw, which Secunia described as "extremely critical," affects Microsoft IE versions 5.01, 5.5 and 6.0.

  • 'Critical' Office 2003 Patch Released
  • 4/22: Kelvir-R Trojan Hits IM Contacts
  • 2/21: MyDoom-BE Worm Harvests Addresses
  • AntiOnline Spotlight: Trojan Force
  • Keeping Score of Identity Risks
  • Hitachi offers up centralized application security platform
  • Schumer Introduces No Spam Registry Bill
  • Lasco.A Poses New Mobile Threat
  • Is Bill Gates Sincere About Security?
  • 11/16: Agobot-NX an IRC Trojan & Worm
  • Macromedia, RealNetworks Release Patches
  • Buy Security Camera