Security firm: IE patch does not work

Dom · Sep 9, 2003, 01:17 AM

The "object type" vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on Aug. 20. It was then re-released on Aug. 28, because under some circumstances it had caused problems for some non-default operating system installations, according to eEye. The patch appears to be due for yet another rerelease because it simply doesn't fix the vulnerability it is supposed to, eEye said.

The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code.

A Microsoft representative said the company was investigating the eEye report but added it has not received any reports of customers being affected by the claimed variation of the original vulnerability. The company is continuing to distribute original patch and recommends Internet Explorer users who haven't applied it, do so promptly.

Marc Maiffret, eEye's chief hacking officer, said the vulnerability is particularly critical, because it doesn't take a lot of effort to take advantage of it.

"It's pretty serious just because it's so easy to exploit...it doesn't require someone to know how to write buffer overflow exploits or anything like that," he said.

Read More...

Sep 9, 2003, 01:17 AM	#1
Dom DriverHeaven Extreme Member Join Date: Jun 2002 Posts: 12,940 Rep Power: 0	Security firm: IE patch does not work The "object type" vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on Aug. 20. It was then re-released on Aug. 28, because under some circumstances it had caused problems for some non-default operating system installations, according to eEye. The patch appears to be due for yet another rerelease because it simply doesn't fix the vulnerability it is supposed to, eEye said. The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code. A Microsoft representative said the company was investigating the eEye report but added it has not received any reports of customers being affected by the claimed variation of the original vulnerability. The company is continuing to distribute original patch and recommends Internet Explorer users who haven't applied it, do so promptly. Marc Maiffret, eEye's chief hacking officer, said the vulnerability is particularly critical, because it doesn't take a lot of effort to take advantage of it. "It's pretty serious just because it's so easy to exploit...it doesn't require someone to know how to write buffer overflow exploits or anything like that," he said. Read More...