Monday, January 10, 2005

Exploit code attacks unpatched IE bug.

Code which exploits a vulnerability in the HTML Help control of Internet Explorer has been released onto the net. Secunia has upgraded the vulnerability, uncovered in October 2004, to "extremely critical". Even users who have upgraded to Windows XP SP2 with all available patches are affected, the security reporting firm warns. The vulnerability can be exploited by malicious people to place and execute arbitrary programs on a client system if a user visits a malicious website. It doesn't require user interaction. The vulnerability was originally discussed as the Drag'n'Drop vulnerability back in October 2004. The new development only utilises flaws in the HTML Help control. Users can only protect themselves by disabling ActiveX support or using another product. Some AV products are detecting this heuristically and some of them by use of a signature. Some are not detecting it!