Critical hole in Ask.com search engine toolbar
According to reports, the toolbar (askBar.dll) of the Ask.com search engine contains a critical security hole, which can be exploited to gain control over a Windows PC – if the victim surfs the web with administration privileges. Merely visiting a manipulated web site might be the only requirement for falling victim to a successful attack. Now a public exploit has been made available.
The first information on the hole was offered on WabiSabiLabi, an auction platform where vulnerabilities and exploits can be traded, but soon detailed information and an exploit were published on Bugtraq, and so the auction is now redundant. For some weeks, opponents of the exploit marketplace have published information and exploits on traded holes free of charge.
The current hole affects only the Internet Explorer versions of the toolbar prior and including 18.104.22.168. The vulnerability depends on a buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control. No update has been provided; as a workaround, users can set the kill bit for the ActiveX control (CLSID 5A074B2B-F830-49de-A31B-5BB9D7F6B407) to prevent Internet Explorer activating this control.
- New Zeroday published, Exploit by Joe Mengele