• PC World
• » Software
• » Browsers & Add-Ons

Security experts are warning Microsoft customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser, potentially allowing remote attackers to run malicious code on vulnerable machines.

The vulnerability is similar in scope to vulnerabilities exploited by devastating worms such as Nimda, Badtrans, and Klez, according to one security company. And to make matters worse, the flaw is one Microsoft said it fixed weeks ago.

Known Problem

The security hole, known as the "Object Data vulnerability," affects IE versions 5.01, 5.5, and 6.0. It concerns the way that IE processes HTML pages that contain a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's system. The user would only need to open an e-mail message or visit a Web page containing the attack code to activate it.

On August 20, Microsoft released a patch for IE, MS03-032. The company said it closed the hole and patched other security holes in IE.

But according to a message posted to a prominent security discussion group Sunday, the vulnerability still exists on machines using IE even after users have applied the patch.

That message, posted by an individual using the name "http-equiv@excite.com," contains sample code that shows IE is still vulnerable to attack. The exploit would use the vulnerability from HTML pages that are created dynamically using computer script, like JavaScript, embedded in Web pages or e-mail messages.

Under Investigation

A Microsoft spokesperson confirms the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin.

However, Microsoft still recommends that customers install that patch.

Microsoft is not aware of any customers who have been attacked using the vulnerability, according to the spokesperson.

However, security researchers say at least one exploitation of the Object Data vulnerability is already circulating online.

An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, drg.exe, that installs a file called surferbar.dll onto the victim's computer, according to security company Secunia, of Copenhagen, Denmark.

That file adds a new bar to the affected users' Internet Explorer Web browser with links to pornographic Web sites, the company says.

The Object Data vulnerability is also similar to an earlier IE security hole dating back to 2001. That flaw, described in Microsoft's alert MS01-020, was exploited by virulent e-mail worms such as Nimda and Klez, according to Secunia.

Alternative Fixes

Security experts familiar with the issue say that Microsoft's failure to thoroughly test its patch against attack scenarios using the Object Data vulnerability is a black eye for the company.

"Microsoft should be ashamed. This is a major embarrassment," says Richard Smith, an independent security analyst based in Boston.

The problem with the Object Data vulnerability is similar to a hole found in a prior Microsoft patch, according to Israeli security company GreyMagic Software, which issued a report on the problem in February 2002.

That similarity points to problems with Microsoft's patch-testing process, Smith says.

"They need to go back and look at how this slip-up occurred. They keep saying they can't prevent bugs, but when the same problems keep occurring over and over, that's a management issue," he says.

A Microsoft spokesperson says the company is committed to keeping customers' data safe and will take "appropriate action" to protect customers when its investigation into the new exploits is complete.

In the absence of a patch from Microsoft to fix the problem, security experts recommend disabling support for Active Scripting on affected IE versions. Failing that, users should consider uninstalling the popular browser to protect themselves from attack, experts say.

• See more like this:
• vulnerability,
• hole,
• flaw,
• patch,
• object data vulnerability,
• internet explorer,
• ie,
• object data tag