Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.
The code was published on public Web sites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, the company representative said in a statement on Thursday.
"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.
The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service on Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.
IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical", its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected.
Upon completion of its investigation, Microsoft may issue a patch for the flaw as part of its monthly release process, the company said. Microsoft is not aware of any attacks that attempt to exploit the new IE vulnerability at this time, it said.
The warning of the new flaw comes only days after Microsoft released its September patches. On Tuesday it released three updates, two for Windows and one for Office. The software maker also released a third version of an Internet Explorer fix after it botched the first two versions of the patch.
In recent months, word of new attacks has repeatedly followed shortly after "Patch Tuesday". Some experts believe the timing of the new attack is no coincidence, suggesting that attackers look to take advantage of a full month before Microsoft is scheduled to release its next bunch of fixes.
Talkback
"disable ActiveX"
How much longer is the public going to put up
with this Flawed software? ActiveX should be disabled on ALL computers by default, or M$
needs to remove it from their sorry OS! And now
they want everyone to upgrade to vista? This is not a fix for all the older computers out there.
The best way to upgrade is to remove that
useless fragment of excrement from your system and upgrade to Linux or MAC. Going to another version of M$ is just getting new flaws.