Un-patchable IE vulnerability "in the wild": Experts

The "object type" vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a Web-page. If the Web page is viewed by an Internet Explorer browser -- even a fully patched browser -- the malicious code embedded in the Web-page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability.

U.S.-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild".

"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read.

The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September.

"Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems."

Managing director of mail filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia  the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know."

Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX."

Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the "Internet Zone". Ironically, in order to patch the system through Microsoft's WindowsUpdate Web site when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet zone.

• Related stories

• Alerts

Add your opinion

1. Windows is basically substandard, worm-infested virus-ware. The worlds most expensive virtual petri-dish. Bought to you by an aggressive, foreign, convicted monopolist. You do not own this pain, you subscribe to it. You have to waive all your rights as a Geoff Stevenson -- 30/09/03

   Windows is basically substandard, worm-infested virus-ware. The worlds most expensive virtual petri-dish. Bought to you by an aggressive, foreign, convicted monopolist. You do not own this pain, you subscribe to it. You have to waive all your rights as a consumer (thru the EULA) just to pollute your hardware with it. It's unstable, insecure and inefficient. A testament to Microsoft's marketing skills, as opposed to their paltry software engineering skills.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. Oh great... another fanatical Microsoft hater. Tell me, Geoff... How do you create bug free software? I'm sure the rest of the world would be interested in your flawless development methodology. It's very simple... let my try to explain it to Anonymous -- 30/09/03

   Oh great... another fanatical Microsoft hater. Tell me, Geoff... How do you create bug free software? I'm sure the rest of the world would be interested in your flawless development methodology.
   
   It's very simple... let my try to explain it to you with words you can understand. Microsoft has billions of people using (read: testing) their software every day. As a comparison linux has a much smaller percentage of people using the OS and therefore a smaller percentage of the existing bugs are found.
   
   I would bet a truck-load of cash that if one day everybody decided that they would use Linux instead of Windows, all of the virus-writers who used to develop wor windows would switch os, creating an avalanche of new Linux virii. Enough bugs would be found to keep Mr Torvalds and Linux Distributors busy for millenia.
   
   It's all very nice to sit on your high-horse Geoff, and **** about how bad other people's software is... Maybe you should submit a large sample of code for ZDNet to review... I would be happy to put forward my view on the quality of your code.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. http://www.pivx.com/larholm/unpatched/ As of 11 September 2003 there are currently 31 unpatched vulnerabilities in Microsoft's Internet Explorer. Some serous vulnerabilities remain, without an update to fix them, that Microsoft has known about f Anonymous -- 30/09/03

   http://www.pivx.com/larholm/unpatched/
   
   As of 11 September 2003 there are currently 31 unpatched vulnerabilities in Microsoft's Internet Explorer. Some serous vulnerabilities remain, without an update to fix them, that Microsoft has known about for over a YEAR.
   
   No other software vendor, either closed or open source, wastes this amount of time to secure their software.
   
   Is this what Microsoft deems to be considered "Trustworthy"?

   • Reply to comment
   • Reply to story
   • Report offensive content

4. **SIGH** The arguements and crits of M$ go on endlessly. Both Geoff and Jason make valid observations, however it is time M$ did something about their poor track record of sub-standard programing methods and even worse QA and security. There IS NO excuse Keith Styles -- 30/09/03

   **SIGH** The arguements and crits of M$ go on endlessly. Both Geoff and Jason make valid observations, however it is time M$ did something about their poor track record of sub-standard programing methods and even worse QA and security. There IS NO excuse for the continued deployment of BUFFER overflow problems and vulnerabilities. The problem has been around and known about for years & yet M$ still allow it to get thru their QA process. It is just not good enough. As long as M$ continues to try and monopolize the IT industry, without due regard for security and their customers, we will always have this endless arguement. They WILL lose customers in the long run. Have no doubt about it! Meanwhile, Mandrake 9.2 is about to be loaded on my PC to update 9.0. The best move I have ever made.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Driving Business Growth Through Enterprise IT Management
Dig deeper by clicking here »

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

When chief information officers and other technology managers talk about their priorities, security is always high on the list.

Principles for a successful business

Reader Services

Popular Topics

Essentials