Another IE Flaw in the Wild? Download.Ject Vulnerability Still Unpatched? Sean Michael Kerner
Within hours of Microsoft releasing its patch last week to plug a hole in its Internet Explorer browser, a Dutch security expert posted code on his site that revealed the patch still leaks.
The so-called "insider" vulnerability that is still unpatched is similar to the ADODB.Stream vulnerability in that it exists inside of the ActiveX library of scripting feature components. The insider vulnerability is in the Shell.Application component and essentially enables the same basic attack where a malicious piece of code may be unwittingly downloaded via a web site to a fully patched IE user's computer.
Last Friday, Microsoft responded to a security issue with the ADODB.Stream, which allowed for the widespread transmission and infection of a Trojan known as Download.Ject or Scob. That Trojan was faulted for the attack targeting Microsoft Internet Information Services 5.0 users.
Microsoft's browser has come under increasing criticism in recent weeks as flaw after flaw has been reported by various security experts, leaving the company scurrying to patch holes.
Microsoft has posted an information page about Download.Ject, as well as an update for customers through the Windows Update site.
The company's efforts weren't enough to stop the U.S. Computer Emergency Readiness Team (US-CERT) from warning computer users late last week to avoid using Internet Explorer altogether.
The much anticipated Windows XP Service Pack 2, expected in final release later this summer, is set to feature a significant security overhaul for Internet Explorer.
Microsoft's competitors in the browser space have noticed the company's ActiveX-related security issues. Mozilla, Opera, and Apple announced an initiative to develop a new plug-in standard that they hope will be more secure than Microsoft's ActiveX implementation.
