The threat posed by a critical flaw in Internet Explorer has been ratcheted up by the release of a program designed to exploit the vulnerability, security researchers warned on Thursday.
Security information provider Secunia raised the buffer overflow flaw to its highest rating in a new advisory. The vulnerability, which was made public on Tuesday, could be used to make Internet Explorer trigger a malicious program when the Microsoft browser loads a specially formatted Web page. The flaw does not affect Windows XP Service Pack 2, Secunia said.
"This advisory has been rated 'extremely critical', as a working exploit has been published on public mailing lists," the company said.
The Iframe flaw is the latest in a series of security issues related to Internet Explorer. This week, ScanSafe found that a flaw in the browser had racked up the highest number of attacks for one exploit in the second quarter. In addition, Microsoft has been drawn into a debate whether a spoofing technique that uses Internet Explorer can be described as a flaw. Last month, security companies sent out a warning that a set of security holes affected Microsoft's browser among other major Web software.
Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an email statement to ZDNet UK sister site CNET News.com.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.
The software company took issue with the public release of the vulnerability before it had been notified.
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
For now, users can upgrade to Windows XP SP 2 or use a different browser.
The US watchdog for Internet threats, the Computer Emergency Readiness Team (CERT), has also warned government and industry users about the Iframe flaw. According to the US-CERT advisory, the problem is caused by how Internet Explorer handles certain attributes of frames, which is a way of displaying Web content in separate parts of the browser window.
The US-CERT alert notes that other programs using the WebBrowser Active X control, could be affected by the vulnerability. These programs include Microsoft's Outlook and Outlook Express, America Online's browser, and Lotus Notes.
Talkback
Thirty steps to PC security
This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from every major vulnerability found on the Internet today, June 08, 2005. If by chance you would prefer to use tested software to enable these solutions, go to http://www.geocities.com/turbotramp2/samurai.html or click http://www.geocities.com/turbotramp2/samurai.zip to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machine using the solutions listed below.
DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.
This solution disables the use of insecure ActiveX controls. The registry key “HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” is updated with the GUID’s of known insecure controls that do not affect normal operation when disabled. The GUIDs are:
// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.
This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is used. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging.
The registry key is “HKCR\PROTOCOLS\Handler\aim”.
The registry value is “CLSID”.
PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.
This solution prevents the use anonymous sessions by setting the registry value “HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous” to true. This setting will not become active until the machine is rebooted. As such, “The new configuration will require a reboot” will be displayed when this setting is altered in Samurai.
DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.
This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and HKCU\Software\Classes\CLSID.
STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.
This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE URL PROTOCOLS: Disable dangerous URL protocols.
This solution disables the use of insecure URL types "ms-its”, "ms-itss", "its", "mk" and "local" by removing the type entries from the “HKLM\Software\Classes\Protocols\Handler” and “HKCR\Protocols\Handler” registry keys.
DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.
This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.
This solution secures “My Computer Zone” by resetting the values of the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0”. These special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are:
1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script Act