Explorer hole can crash PCs and compromise systems

An unpatched flaw in Internet Explorer may allow attackers to execute code via a malicious website.

An unpatched flaw in Internet Explorer may allow attackers to execute code via a malicious website. The bug affects the latest versions of Explorer patched with Service Pack 2 (SP2) as well as older editions, according to SEC Consult.

Cisco has also reported a flaw in its IOS operating system, widely used in routers and other networking hardware, that could allow attackers to bypass authentication.

The Explorer problem involves the way the javaprxy.dll COM object works with object tags, according to SEC Consult, but is part of a wider problem. "We found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads," the firm said in an advisory.

Crashes are one thing, but the javaprxy.dll flaw may also allow an attacker to run malicious script code, although neither Microsoft nor SEC Consult could confirm that this was more than a potential outcome. "An attacker who successfully exploited this vulnerability could run malicious script code on the local system. This could allow an attacker to take complete control of the affected system," said Microsoft in an advisory.

A user could be affected by the bug by viewing a website containing the malicious code, Microsoft said. An attacker might lure a user to a malicious site or compromise another site and embed the malicious code there.

Microsoft chided SEC Consult for publicly discussing the vulnerability. "While this issue was first reported to Microsoft responsibly, details about the reported vulnerability have been made public. Microsoft continues to encourage responsible disclosure of vulnerabilities," the company said in its advisory. Microsoft didn't initially confirm the bug when SEC Consult reported it earlier this month, according to the security firm.

Microsoft said it may patch the bug after finishing its investigation. In the meantime, it recommended users to set Explorer's security settings to "high", via a process described in the advisory. Unfortunately, this setting means users will be prompted before the execution of every ActiveX control.

Independent security firm Secunia gave the flaw a "highly critical" rating.

Cisco said a vulnerability in Cisco IOS could be exploited to bypass the Remote Dial In User Service (RADIUS), which could allow an attacker to access a vulnerable network.

The bug affects particular versions of IOS, only affects those using RADIUS, and only affects those with a particular configuration setting - the fallback method must be set to "none". Cisco specifies which versions are vulnerable, and makes patches available, in an advisory on its website.

The company said workarounds are also possible to make the bug less dangerous.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?