Hot on the heals of news that rival Hacker gangs are holding virtual rumbles on your W2K box
comes details of another MS product flaw. One that is unpatched by Redmond, and has security consultants rubbing their chins, taking sharp intakes of breath and shaking their heads:
Microsoft is investigating an IE security bug amid fears that a hacker attack based on the vulnerability is imminent. A flaw in Microsoft DDS Library Shape Control COM object (msdds.dll) is at the centre of the security flap.
Security researchers warn that msdss.dll might be called from a webpage loaded by Internet Explorer and crash in such a way that allows hackers to inject potentially hostile code into vulnerable systems. That's because IE attempts to load COM objects found on a web page as ActiveX controls, as is the case with msdds.dll. A programming object is not supposed to be used in this way. So hackers might be able to take control of systems by tricking users into visiting a maliciously constructed web site. US-CERT warns that exploit code to do this is already available but Microsoft said it's not aware of any attacks.
More from The Register here
No patch - but Microsoft is suggesting that you turn off ActiveX for the time being. I'm sure the other suggestions in the article (Moving to Firefox or Opera) came from the el Reg staff rather than Vole central...
Discuss this news over in the ever popular news forum!