New holes in Internet Explorer
A proof-of-concept exploit has surfaced on security-related websites demonstrating a previously unknown flaw in Internet Explorer. The exploit has been shown to cause the browser to crash, but the Internet Storm Center and the US-CERT have indicated that the flaw could probably also be used to plant code into the memory of Windows PCs and then execute it. More precise analysis is still required, however.
The cause of the crash is an error in the ADODB ActiveX control, a common interface for various database systems. The exploit creates a new ActiveX object and then executes it several times. That obviously then creates a memory problem. Internet Explorer 6 is affected, as is Internet Explorer 7 in some cases. The latter caveat is required because the problem could not be consistently provoked in Internet Explorer 7 when attempted on different systems. Internet Explorer 7 running on Vista RC2 with standard settings appeared completely unaffected by the exploit. Yet the secure default settings on that OS may be the reason for this. On a machine running Windows XP SP2, for example, the final version of Internet Explorer 7 did crash.
Microsoft is already investigating the flaw, but has not yet recommended a solution. The US-CERT is therefore recommending that users either deactivate ActiveX or set the kill bit for the vulnerable control. One of the control's keys must be modified in the registry under CLSID (
00000514-0000-0010-8000-00AA006D2EA4). A knowledge base article from Microsoft shows how kill bits are set: How to stop an ActiveX control from running in Internet Explorer. Inexperienced users are advised against attempting the workaround and should instead completely deactivate ActiveX or use another browser.
Back in late September a DoS hole in the WebView ActiveX control from Internet Explorer, previously viewed as non-critical, developed into an enormous security threat. Here too the only remedy prior to the release of an official patch was simply deactivating the control.
- ADODB.Connection POC Published., Blog entry from the Microsoft Security Response Center
- ADODB.Connection ActiveX control unspecified vulnerability. warning from US-CERT