FrSIRT have identified a critical vulnerability with Internet Explorer 6 for Windows XP SP1 and SP2. The problem could be exploited by remote attackers to execute arbitrary commands. The issue is due to a memory corruption error when instantiating the "Msdds.dll" (Microsoft Design Tools Diagram Surface) object as an ActiveX control, which could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page. Unfortunately for users of Internet Explorer 6 there is 0day Exploit Code readily available for would be hackers to create web pages. This is un-usual and brings into question whether FrSIRT were taking decent measures to ensure Microsoft were aware of this threat. According to a Microsoft Spokesperson, "Microsoft is aggressively investigating new public reports of a possible vulnerability in Internet Explorer. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk." We will keep you updated on Microsoft's investigations and whether they plan to release a patch for this flaw soon. FrSIRT Advisory Source: Neowin.net
