Security experts warn a new, unpatched vulnerability in Internet Explorer might be used to spread malware. A flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control, rated as critical [1] by Secunia and other security watchers, has spawned [2] proof of concept code but has not yet become the subject of widespread, hostile attack. Memory corruption is possible [3] even on a fully patched Windows XP system.

A patch is unlikely until next month's Patch Tuesday update. Microsoft said it was investigating [4] the problem. Surfers are advised to restrict which sites they allow to run ActiveX controls or here [5] ActiveX controls altogether. Tech-savvy IE users might try a workaround from the SANS Institutes's Internet Storm Centre, as explained here [6]. A simpler solution, at least until Microsoft releases a patch, might be to use Firefox, Opera or all any other alternative browser. ®

Links

1. http://secunia.com/advisories/21910
2. http://www.symantec.com/enterprise/security_response/weblog/2006/09/new_internet_explorer_0day_vul.html
3. http://www.frsirt.com/english/advisories/2006/3593
4. http://www.microsoft.com/technet/security/advisory/925444.mspx
5. http://www.us-cert.gov/cas/alerts/SA06-258A.html
6. http://isc.sans.org/diary.php?storyid=1706

Related stories

• IE and Firefox blighted by fake login flaw (23 November 2006)

  http://www.theregister.co.uk/2006/11/23/fake_login_flaw/

• MS preps six fixes for November Patch Tuesday (10 November 2006)

  http://www.theregister.co.uk/2006/11/10/nov_patch_tuesday-pre-alert/

• Attackers end-run around IE security (8 November 2006)

  http://www.theregister.co.uk/2006/11/08/ie_security_analysis/

• Web viruses drop off despite IE exploit flap (18 October 2006)

  http://www.theregister.co.uk/2006/10/18/malware_trends_scansafe/

• IE7 to debut in October (10 October 2006)

  http://www.theregister.co.uk/2006/10/10/ie7_release_latest/

• Busy Patch Tuesday looms (6 October 2006)

  http://www.theregister.co.uk/2006/10/06/october_patch_tuesday_pre-notice/

• MS releases emergency IE fix (27 September 2006)

  http://www.theregister.co.uk/2006/09/27/ms_emergency_patch/

• MS mulls emergency IE fix (26 September 2006)

  http://www.theregister.co.uk/2006/09/26/ms_ie_fix_plan/

• Unofficial IE patch saves humanity (25 September 2006)

  http://www.theregister.co.uk/2006/09/25/unofficial_ie_patch/

• Smut sites use IE exploit to spread spyware (21 September 2006)

  http://www.theregister.co.uk/2006/09/21/ie_exploit/

• Patch Tuesday omits critical Word fix (14 September 2006)

  http://www.theregister.co.uk/2006/09/14/ms_patch_tuesday/

• Unpatched enterprise security bugs proliferate (24 August 2006)

  http://www.theregister.co.uk/2006/08/24/0-day_manace/

• Microsoft flaw fix opens users to attack (24 August 2006)

  http://www.theregister.co.uk/2006/08/24/microsoft_flaw_update/

• ActiveX security faces storm before calm (2 August 2006)

  http://www.theregister.co.uk/2006/08/02/activex_security_storm/

• MS announces plans to deliver IE7 as security update (27 July 2006)

  http://www.theregister.co.uk/2006/07/27/ie7_auto_update/

• Browser crashers warm to data fuzzing (13 April 2006)

  http://www.theregister.co.uk/2006/04/13/data_fuzzing/

• Patches released for zero-day IE threat (29 March 2006)

  http://www.theregister.co.uk/2006/03/29/ie_patches_released/