Unpatched IE Flaw Announced
Microsoft is still investigating flaw, will release patch when ready
Monday, July 04, 2005
BY : Brian Ashe
Microsoft has produced a security announcement regarding a potentially serious flaw in their Internet Explorer Web Browser. It concerns a COM object, the JVIEW Profiler (Javaprxy.dll), which is part of the Microsoft Java Virtual Machine.
The warning from Microsoft states "Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report."
The security research firm French Security Incident Response Team (FrSIRT) has publicized exploit code for the flaw discovered by SEC Consult as posted in their advisory. The release of this exploit code prior to an official patch from Microsoft greatly increases the chances for the flaw to be exploited for malicious purposes.
The flaw has been demonstrated, through the example, to have the potential to run arbitrary code on the victims computer. In response, Microsoft has recommended that caution be taken when clicking links in e-mails. It also has instructions for disabling the vulnerable library until a patch has been issued.
|
