CERT urges users to install MS patch

Carnegie Mellon University’s CERT is urging users to install a recently issued Microsoft Corp. patch relating to a previously discovered vulnerability in the Internet Explorer (IE) browser.

The advisory from CERT – a security research and advisory organization – that was released Aug. 11 was prompted by concerns that users may not understand the full scope of the problem created by the hole – or of implementing a work-around previously issued by Microsoft to fix it, said Shawn Hernan, a CERT team member.

The so-called IE Script hole was discovered in July by Bulgarian bug-hunter Georgi Guninski. It allows attackers to embed malicious code on a victim’s computer without the victim having to open any attachments or executable files.

Attackers plant malicious code on a Microsoft Access database or project files on a rogue Web site. Victims – which can include anyone who uses IE 4.x or 5.x, Microsoft Access 97 or 2000 – can be compromised simply by visiting the site or by previewing e-mail containing links to the site, regardless of the security settings in Access or IE.

“A remote intruder can send malicious HTML via an e-mail message, newsgroup posting or downloaded Web page and may be able to execute arbitrary code on a victim’s machine,” the CERT advisory said.

In worst-case scenarios, the hole can give malicious hackers “one level of access from complete administrative control of [a victim’s] machine,” Hernan said.

Microsoft initially provided a work-around for this vulnerability that involved setting up a password control in Access. However, the work-around only protects certain types of Access files against the vulnerability, which is why it’s crucial for users to download the Microsoft patch, Hernan said. It would be dangerous for users to assume that the work-around alone is enough protection, he added.

In its advisory, CERT also asked users to set up the Admin password control for Access even after the patch is installed.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now