Feeds

Really critical hole in Microsoft Web software

Unchecked buffer

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

ComputerWire: IT Industry Intelligence

Just one day after raising the threshold beyond which it considers security vulnerabilities "critical", Microsoft Corp released a security advisory saying there is a "critical" hole in its browsers and web servers that could cause serious problems, even if it is patched.

There is an unchecked buffer in Microsoft Data Access Components (MDAC) prior to version 2.7, the company said. MDAC is a "ubiquitous" technology used in Internet Explorer and the IIS web server. The buffer can be overrun with a malformed HTTP request, allowing arbitrary code to be executed on the target machine.

"This vulnerability is rated critical because an attacker could take over an IIS server or an Internet Explorer client and run code," Microsoft warned. "Any IIS server with MDAC and all Internet Explorer clients should apply the patch immediately."

Since Tuesday, Microsoft has defined "critical" as: "A vulnerability whose exploitation could allow the propagation of an internet worm without user action." This suggests this latest vulnerability could give rise to a virus as dangerous as Code Red, which spread to thousands of IIS servers last year.

To make matters worse, it is currently possible to make patched systems vulnerable again, Microsoft said.

Normally, when an ActiveX control is vulnerable to an attack, Microsoft's patch merely delivers a new, invulnerable control and sets a "Kill Bit" on the old one. Controls with set Kill Bits cannot be invoked by Internet Explorer. However, in this case it is not possible to set the Kill Bit without rendering countless web sites unreadable, Microsoft said.

A malicious attacker would be able to reintroduce the vulnerable control with just a specially HTML document. Users that have their browsers configured to trust Microsoft-signed ActiveX controls by default would have the vulnerability reintroduced without their knowledge.

Without a hint of irony, the company recommends removing "Microsoft" from IE's Trusted Publisher list (accessible via IE's Internet Options menu), in order to prompt a warning whenever a Microsoft-signed ActiveX control attempts to install itself. The company is working on a more permanent fix.

© ComputerWire

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.