September 08, 2003, 5:32 PM — Security experts are warning Microsoft Corp. customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser, potentially allowing remote attackers to run malicious code on vulnerable machines.
The vulnerability is similar in scope to those exploited by devastating worms such as Nimda, Badtrans and Klez, according to one security company. And, to make matters worse, the flaw is one Microsoft said it fixed weeks ago.
The security hole, known as the "Object Data vulnerability," affects Internet Explorer (IE) versions 5.01, 5.5 and 6.0. It concerns the way that IE processes HTML (Hypertext Markup Language) pages containing a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's machine. No user actions would be required aside from opening an e-mail message or visiting a Web page containing the attack.
On August 20, Microsoft released a patch for IE, MS03--032, that it said closed the hole, in addition to patching other security holes in IE. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp.)
According to a message posted to a prominent security discussion group Sunday, however, the vulnerability still exists on machines using IE even after applying the patch.
A Microsoft spokesman confirmed that the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin.
However, Microsoft still recommends that customers install that patch, he said.
The Redmond, Washington, software company is not aware of any customers who have been attacked using the vulnerability, he said.
However, security researchers know of at least one exploitation of the Object Data vulnerability that is already circulating on the Internet, according to a statement by security company Secunia Ltd. of Copenhagen, Denmark.
An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, "drg.exe," that installs a file called "surferbar.dll" onto the victim's computer, according to the Secunia alert.
That file adds a new bar to the affected users' Internet Explorer Web browser with links to pornographic Web sites, the company said.