CYBERSPACE – The UK digital threat analysis group ComputerTerrorism has released exploit code for a bug in Internet Explorer that could allow remote attackers to take over systems running Windows operating systems, including Windows XP with Service Pack 2.ComputerTerrorism elevated the severity of the flaw to “critical” from “low” when it was discovered that the security flaw, originally identified in late May, made systems vulnerable to remote attacks.
“Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user,” ComputerTerrorism stated in the overview of their security advisory. Until now, the flaw was thought to allow attackers to crash a system remotely, but not execute code on the exploited system.
As no patch has been issued yet, researchers say the only protection against the flaw is for users to disable active scripting for “non-trusted” sites.
For its part, Microsoft asserts that not all Windows systems are vulnerable, and they aren’t aware of any impact on their customers as a result of the flaw, thus far.
“Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected,” Microsoft stated in an advisory posted on their website. “We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time.”
ComputerTerrorism claimed it has confirmed the bug on completely patched and updated systems running Windows XP SP2 and Windows 2000 SP4.
Microsoft also took exception to ComputerTerrorism’s method of disclosing the problem; posting the information publicly instead of reporting the vulnerability directly to Microsoft.
“Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk,” the company stated in its advisory. “We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests.”
