Microsoft on Friday rushed out a major cumulative patch to plug ‘critical’ holes in Internet Explorer (IE) that allowed attackers to hijack the browser or change DNS server settings.
In an unusual move, Microsoft issued an advisory late on Friday after security consultants warned that a QHosts-1 trojan was sneaking into PCs via unpatched Internet Explorer holes.
According to McAfee, attackers have been using the trojan to hijack browser use. “When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote ‘administrator’ to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site,” McAfee warned.
In its 40th advisory for this year, Microsoft confirmed the security vulnerabilities and urged IE users to install the cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
The most serious flaw, Microsoft explained, occurred because IE does not properly determine an object type returned from a Web server in a pop-up window. It made it possible for an attacker to run arbitrary code on a user’s system.
The company also fixed a vulnerability that occurs because IE does not properly determine an object type returned from a Web server during XML data binding. This flaw could also lead to harmful code execution.
Ominously, Microsoft warned that it could be possible for an attacker to exploit the flaw “without any user action” other than visiting the attacker’s Web site. “An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability,” the company said.
In addition, Microsoft has made a change to the method by which IE handles Dynamic HTML (DHTML) behaviors in the browser’s restricted zone. “It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone,” the company said.
Microsoft also warned that an attacker could use its WMP media player to open URLs and run exploits.
Windows Media Player users are urged to apply a security update in addition to the IE cumulative patch. While the WMP update is not a security patch, Microsoft said it contained a change to the behavior of WMP’s ability to launch URLs to help protect against DHTML behavior-based attacks. Specifically, it restricts Windows Media Players ability to launch URLs in the local computer zone from other zones.
