Microsoft plays down IE flaw
Published: 22 Aug 2005 09:25 BST
Microsoft has given more details on an Internet Explorer (IE) security bug discovered this week, saying the flaw puts only some systems at risk.
The security hole, reported on Wednesday by the FrSIRT, involves the Microsoft DDS Library Shape Control file. The Msdds.dll file has to be present on a computer for the machine to be vulnerable to possible compromise by an outside attacker.
The file is put on a computer only with Microsoft's Visual Studio 2002 and certain Office XP installations, according to a Microsoft alert updated on Friday.
Visual Studio is a tool designed for developers, so most home PCs are not likely to have the file. In addition, Visual Studio 2002 is an older version. People who have updated their PCs to Visual Studio 2002 Service Pack 1 are not vulnerable, Microsoft said.
In another possible restriction on the flaw's scope, only specific versions of the Microsoft DDS Library Shape Control file are affected, the software maker said. The company provides technical details in its advisory.
The problem exists because IE will inappropriately let Web sites run other pieces of Microsoft software on a computer. The flaw is similar to vulnerabilities Microsoft fixed as part of its August patch release and in July.
An attacker could craft a malicious Web site that takes advantage of the flaw and gain control over a vulnerable PC that visits the Web site, according to FrSIRT. The intruder could exploit the flaw to install malicious software on those systems, FrSIRT has said. The research group rates the issue "critical", its most serious classification, in its advisory.
Microsoft said it is preparing a fix that will be included with an upcoming security bulletin. The company typically releases bulletins on the second Tuesday of every month.
Did you find this article useful?
67 out of 126 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
