An unpatched bug in a file installed with Microsoft's Office and Visual Studio software could lead to some serious problems for IE (Internet Explorer) users, security researchers have reported.
An attacker could seize control of a vulnerable system by exploiting the bug, which the FrSIRT (French Security Incident Response Team) reported in an alert published last Wednesday. This would be achieved by installing malicious code in a website page that exploits a memory corruption error in a file that ships with Microsoft Office 2002 and Microsoft Visual Studio .Net 2002 products, the research organisation says.
Although the attack would be executed via the popular IE browser, only systems that contain the file in question, called Msdds.dll, are vulnerable, FrSIRT says. It also says it has not yet seen a patch for the vulnerability.
Msdds.dll is software that is used for creating customised Office applications, according to Russ Cooper, senior information security analyst at Cybertrust.
Cooper does not believe that this file has been installed on a large number of Windows systems. "I'm not concerned about it," he commented via instant message. "I don't doubt it is shipped with the full Office Professional installation CD, but I highly doubt it is installed automatically."
Neither Microsoft nor FrSIRT could say whether this file was installed by default with Office or Visual Studio.
Microsoft has yet to see any attackers taking advantage of the flaw, a company spokesperson said last Thursday. But reports are circulating of websites that take advantage of another IE bug, which Microsoft patched on 9 August.
About a dozen websites have cropped up that take advantage of a flaw in IE's Jpeg rendering engine, according to Dan Hubbard, senior director of security and research at Websitesense. If unpatched IE users go to these websites, their systems could be made to crash, or they could be made to run software that allows an attacker to gain control of the system, he says.
Because users must first be tricked into clicking on the malicious website for the attack to work, this exploit is not considered as dangerous as the recent round of Windows Plug and Play worms that were widely reported earlier this week.
But attackers are increasingly using IE rather than email viruses as a way of seizing control of systems, Hubbard says. "In the last year we've seen a huge trend toward malicious website sites being used as an attack vector," he says. "Email is just not as effective as it used to be."
The Microsoft spokesperson would not say whether or not a patch is planned for the Msdds.dll bug, but on Thursday the company published a security advisory discussing the problem. The advisory, which includes a number of suggested work-arounds, can be found online, as can the FrSIRT alert.
A Sans Institute alert with instructions on how to check for the Msdds.dll file can also be found online.