http://security.itworld.com/4341/040706mspatch/page_1.html-Snip-
Microsoft Corp.'s effort last week to fix a vulnerability in the Internet Explorer (IE) Web browser program and end the latest series of Internet attacks doesn't address another closely related and dangerous vulnerability, according to a security specialist.
Dutch security expert Jelmer Kuperus published code on the Web last week that he says can be used to break into fully patched Windows systems using a slightly modified version of an attack called Download.Ject that Microsoft patched last week. The new attack targets a hole in a different Windows component than the one addressed by Microsoft's software patch on Friday. Using a similar attack, malicious hackers could break into even patched Windows machines, Kuperus said.
Microsoft confirmed Tuesday that the company is aware of the exploit code, but does not believe any customers have been attacked using the Shell.Application exploit, a spokeswoman said.
Microsoft last week introduced a security update for Internet Explorer 6.0 to end the threat of Download.Ject. The update disables a Windows component called ADODB.Stream, which was allegedly being used by a Russian criminal gang called the Hangup Team to install malicious code on computers.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore