US-CERT, meanwhile, recommended taking the somewhat-extreme steps of either disabling all ActiveX controls or setting what's called a "kill bit" using the registry to disarm only the FlashPix control. In that case, infection would occur as soon as the recipient viewed the message.ĭanish bug tracker Secunia rated the vulnerability as "highly critical," its second-highest threat ranking in its five-step scoring system. Alternately, an HTML e-mail message - with the exploit buried in the HTML - could also be used. The likely attack scenario, said US-CERT, would be a malicious site that includes the exploit, and spam that tries to dupe users into clicking on a link to that site. A company spokeswoman, however, said Microsoft would provide a patch if necessary and added: "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact." For its part, Microsoft acknowledged it is investigating Kloskowski's claim but it did not answer a query about whether IE 7 users are at risk. Internet Explorer 6 (IE 6) can be leveraged to exploit the flaw, noted Kloskowski, but he did not say if the newer IE 7 is also a workable attack vector. More importantly, according to an advisory issued by US-CERT on Sunday, "because the FlashPix ActiveX control is marked 'Safe for Scripting,' Internet Explorer can be used as an attack vector for this vulnerability." The DirectX software development kit Microsoft issued in 2002 contains a critical vulnerability, a Polish researcher claimed as he released attack code that can hijack Windows PCs by tempting Internet Explorer users to malicious sites.Īccording to Krystian Kloskowski, who posted exploit code on the site, the FlashPix ActiveX control included with DirectX Media 6.0 SDK contains a buffer overflow bug that can be exploited.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |