Microsoft: New IE flaw limited in scope
A security bug in Internet Explorer discovered this week mostly affects users of certain developer tools, the software giant says.
The security hole, reported on Wednesday by the French Security Incident Response Team, involves the Microsoft DDS Library Shape Control file. The Msdds.dll file has to be present on a computer for the machine to be vulnerable to possible compromise by an outside attacker.
The file is put on a computer only with Microsoft's Visual Studio 2002 and certain Office XP installations, according to a Microsoft alert updated on Friday.
Visual Studio is a tool designed for developers, so most home PCs will likely not have the file. In addition, Visual Studio 2002 is an older version. People who have updated their PCs to Visual Studio 2002 Service Pack 1 are not vulnerable, Microsoft said.
In another possible restriction on the flaw's scope, only specific versions of the Microsoft DDS Library Shape Control file are affected, the software maker said. The company provides technical details in its advisory.
The problem exists because IE will inappropriately let Web sites run other pieces of Microsoft software on a computer. The flaw is similar to vulnerabilities Microsoft fixed as part of its monthly patch release last week and in July.
An attacker could craft a malicious Web site that takes advantage of the flaw and gain control over a vulnerable PC that visits the Web site, according to FrSIRT. The intruder could exploit the flaw to install malicious software on those systems, FrSIRT has said. The research group rates the issue "critical," its most serious classification.
Microsoft said it is preparing a fix that will be included with an upcoming security bulletin. The company typically releases bulletins on the second Tuesday of every month.