Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IE At Risk To New Unpatched Bug

Exploit code for an unpatched vulnerability in Microsoft's Internet Explorer is circulating, a security company said Friday, but the danger remains low as the current attack only crashes the browser.

Fully-patched Windows XP SP2 and Windows 2000 SP4 systems are open to the new attack, said David Cole, director of Symantec's security response group. "This is proof-of-concept code, we haven't seen any active exploits," said Cole. "Whether it grows into something bigger is heavily linked to if it gets remote code execution [capabilities]," he added.

The news comes just three days after Microsoft released its newest security updates. On Tuesday, however, the company's browser was not patched; an August fix that ended up being released three different times, most recently this week, was the last IE update.

There is no patch now available for the bug, which Microsoft acknowledged it is investigating. In a security advisory issued Thursday, the Redmond, Wash. developer said that it would either release a patch in its regularly-scheduled monthly update, or as an out-of-cycle fix. Windows Server 2003 is not at risk.

The new IE problem is related to an ActiveX control (Microsoft DirectAnimation Path) that's part of the "daxctle.ocx" COM object. An attacker who successfully exploited the vulnerability could hijack the computer, Microsoft acknowledged, without any interaction once a user had been enticed to a malicious Web site.

  • 1