Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

ActiveX Vulnerability Strike IE6

Microsoft is detecting a flaw in IE 6. It is putting in place some security measures in the application. Customers are also being asked to beware of suspicious links.

An entry in the Security Response Center blog of Microsoft informed that a flaw has been detected in the company's Internet Explorer 6. A weakness in the ADODB.Connection ActiveX control in the Explorer may lead to memory corruption and cause the browser to crash. The failing seems to have been found by an independent researcher and subsequently publicized by US-CERT and SecurityFocus.

Microsoft ActiveX Data Objects (ADO) constitute a part of the Microsoft platform and permit the writing of programs for accessing data, irrespective of the database holding the information.
ADO was created with the purpose of being a basic and simple access library for database. It was designed to be used through everyday scripting languages. ADO still is a widely used Windows control for programmers using high-level languages in Windows to deal with Access databases.

SecurityFocus says that memory corruption in Microsoft Internet Explorer is likely to occur when a specific method is used from the 'ADODB.Connection.2.7' enabled ActiveX Object. Attackers could abuse their exploits to crash the browser and bar the service to genuine users. A serious outcome of the vulnerability could be the execution of arbitrary machine-code, though this has not been verified.

The above-mentioned blog says Microsoft is aware of the Proof of Concept (POC) code posting with respect to ADODB.Connection. The Software Security Incident Response Process has been activated to investigate the problem. Once the investigation is over and the threat to customers understood, proper action would be taken to shield the application and guide customers. The task is being undertaken in partnership with MSRA (Microsoft Security Response Alliance).

US-CERT mentions that a malicious user might be able to execute code if the ADO control is charged with untrue SQL statements. It remains to be seen whether the same problem afflicts IE7.

As an advice to customers, Microsoft proposes several workarounds such as making Explorer ask permission before the activation of ActiveX for the time being. Since many sites use such controls, requests are likely to be frequent.

Furthermore, the US Computer Emergency Response Team suggests users to ignore unsolicited or seemingly suspicious links.

Related article: ActiveX Bug Surfaces in RealPlayer Media Player

» SPAMfighter News - 11/4/2006

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next