- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
An unpatched bug in a file installed with Microsoft 's Office and Visual Studio software could lead to some serious problems for Internet Explorer users, security researchers have reported.
An attacker could seize control of a vulnerable system by exploiting the bug, which the French Security Incident Response Team (FrSIRT) reported in an alert published Wednesday. This would be achieved by installing malicious code in a Web page that exploits a memory corruption error in a file that ships with Microsoft Office 2002 and Microsoft Visual Studio .Net 2002 products, the research organization said.
Though the attack would be executed via the popular Internet Explorer (IE) browser, only systems that contain the file in question, called Msdds.dll, are vulnerable, FrSIRT said. The FrSIRT said it has not yet seen a patch for the vulnerability.
Msdds.dll is software that is used for creating customized Office applications, according to Russ Cooper, senior information security analyst for Cybertrust.
Cooper does not believe that this file has been installed on a large number of Windows systems. "I'm not concerned about it," he said via instant message. "I don't doubt it is shipped with the full Office Professional installation CD, but I highly doubt it is installed automatically."
Neither Microsoft nor FrSIRT could say whether this file was installed by default with Office or Visual Studio.
Microsoft has yet to see any attackers taking advantage of the flaw, a Microsoft spokeswoman said Thursday. But reports are circulating of Web sites that take advantage of another Internet Explorer bug, which Microsoft patched on Aug. 9.
About a dozen Web sites have cropped up that take advantage of a flaw in IE's JPEG rendering engine, according to Dan Hubbard, senior director of security and research with Websense. If unpatched IE users go to these Web sites, their systems could be made to crash, or they could be made to run software that allows an attacker to gain control of the system, he said.
Because users must first be tricked into clicking on the malicious Web site for the attack to work, this exploit is not considered as dangerous as the recent round of Windows Plug and Play worms that were widely reported earlier this week.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment