Determina patches latest Microsoft flaw

Vulnerability in ActiveX control plugged by third party

For the second week in a row, independent security researchers have fixed a hole in Microsoft Corp.'s software.

On Friday, Determina Inc. published a free patch for a critical bug in an ActiveX control (called WebViewFolderIcon) that is used by Windows' graphical user interface.

Security experts consider the flaw to be critical because it could be exploited by attackers to run unauthorized code on a victim's PC. To make this happen, the victim would have to visit a Web site with Internet Explorer and allow it to run a malicious ActiveX control.

Security researcher HD Moore published details of the bug on July 18, but he recently added attack code that exploited the flaw to his widely used Metasploit hacking tool kit. Determina says that the availability of the Metasploit code has boosted the risk of attacks.

There seems to be no shortage of Windows attacks this week.

On Tuesday, Microsoft issued a rare emergency patch for a separate problem in Outlook and IE's Vector Markup Language (VML) rendering engine, after that flaw was widely exploited by attackers. And criminals have also launched extremely limited attacks that exploit an unpatched flaw in PowerPoint.

The VML flaw had first been fixed four days ahead of Microsoft's patch by a group of security researchers calling themselves the Zeroday Emergency Response Team.

This latest bug is not likely to be as widely exploited as the VML vulnerability, Moore said. "This bug is not as severe as the VML flaw, since it depends on ActiveX, and would not be exploitable by default through Outlook," he said in an e-mail.

Nevertheless, Microsoft found the issue to be serious enough to merit a security advisory, published Thursday.

Microsoft plans to patch the WebViewFolderIcon flaw in its next scheduled set of security updates, due Oct. 10.

So far, Microsoft doesn't know of "any attacks attempting to use the reported vulnerability or of customer impact at this time," the security advisory states.

Microsoft does not recommend that users install third-party patches, because this software has not gone through the quality assurance testing process that Microsoft applies to its security updates.

Determina's patch works on Windows 2000, XP and 2003 systems.


Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon