CERT urges users to install MS patch

Carnegie Mellon University’s CERT is urging users to install a recently issued Microsoft Corp. patch relating to a previously discovered vulnerability in the Internet Explorer (IE) browser.

The advisory from CERT – a security research and advisory organization – that was released Aug. 11 was prompted by concerns that users may not understand the full scope of the problem created by the hole – or of implementing a work-around previously issued by Microsoft to fix it, said Shawn Hernan, a CERT team member.

The so-called IE Script hole was discovered in July by Bulgarian bug-hunter Georgi Guninski. It allows attackers to embed malicious code on a victim’s computer without the victim having to open any attachments or executable files.

Attackers plant malicious code on a Microsoft Access database or project files on a rogue Web site. Victims – which can include anyone who uses IE 4.x or 5.x, Microsoft Access 97 or 2000 – can be compromised simply by visiting the site or by previewing e-mail containing links to the site, regardless of the security settings in Access or IE.

“A remote intruder can send malicious HTML via an e-mail message, newsgroup posting or downloaded Web page and may be able to execute arbitrary code on a victim’s machine,” the CERT advisory said.

In worst-case scenarios, the hole can give malicious hackers “one level of access from complete administrative control of [a victim’s] machine,” Hernan said.

Microsoft initially provided a work-around for this vulnerability that involved setting up a password control in Access. However, the work-around only protects certain types of Access files against the vulnerability, which is why it’s crucial for users to download the Microsoft patch, Hernan said. It would be dangerous for users to assume that the work-around alone is enough protection, he added.

In its advisory, CERT also asked users to set up the Admin password control for Access even after the patch is installed.