New Vulnerability Affecting Internet Explorer

New Vulnerability Affecting Internet Explorer


An exploit has been spotted in the wild for an unpatched vulnerability in the Microsoft XML core services, which allow developers to create XML-enabled applications. All supported versions of Internet Explorer (including IE7) make use of this functionality and are likely to be possible vectors of attack.

While the exploit has been spotted in the wild, it has only been seen on a single Web site and there has been no confirmed infection reports. Nevertheless, as always, be cautious when surfing the Web.

How can the attacker exploit this vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

What can the attacker do by exploiting this vulnerability?
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How can I prevent being attacked?
The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

Symantec has already released a signature, Bloodhound.Exploit.96, to catch this exploit. More information about the vulnerability can be found in the Microsoft Security Advisory (927892).