Internet Explorer Still Vulnerable
A self-appointed security sleuth has uncovered a new vulnerability in Microsoft's Internet Explorer web browser that bears a close resemblance to the Download.Ject exploit. Although Microsoft patched Download.Ject last week, Dutch security expert Jelmer Kuperus found that Microsoft's efforts to fix the problem did not go far enough.
By making slight modifications to the Download.Ject source code Jelmer has successfully bypassed the browser's latest security update. Jelmer's technique draws on a hole in the Shell.Application ActiveX object - similar to ADODB.Stream - to gain unrestricted access to Windows machines.
Jelmer has posted sample code to the Web.
A Microsoft Spokesperson acknowledged that the software giant was aware of the problem and working diligently to correct it; however, the spokesperson claimed that Microsoft did not know of any instances where customers were impacted by the exploit.
In the meantime, before Microsoft delivers a series of updates to Internet Explorer in the coming weeks, customers can read up on Microsoft's safe browsing tips and practice safe computing to protect their PCs.
"This is disturbing but not surprising," said Yankee Group Senior Analyst Laura DiDio. "In the 21st century computing security updates are the most fleeting of all. Hackers are getting better at their craft and collaborating more."
DiDio continued, "When it comes to Microsoft there are clearly unassailable facts: Microsoft is the world's number one software maker and the first target of hackers. If anyone is subject to repeated attacks there will be a success rate. This will not change anytime soon."