We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,650 News Articles

Latest Microsoft flaw patched by Determina

Not as severe as the VML flaw, though

For the second week in a row, independent security researchers have fixed a hole in Microsoft's software.

On Friday, Determina published a free patch for a critical bug in an ActiveX control (called WebViewFolderIcon) that is used by Windows' graphical user interface. That patch can be found here.

Security experts consider the flaw to be critical because it could be exploited by attackers to run unauthorised code on a victim's PC. To make this happen, the victim would have to visit a website with IE (Internet Explorer) and allow it to run a malicious ActiveX control.

Security researcher HD Moore published details of the bug on 18 July, but he recently added attack code that exploited the flaw to his widely used Metasploit hacking toolkit. Determina says that the availability of the Metasploit code has boosted the risk of attacks.

There seems to be no shortage of Windows attacks recently.

Last Tuesday, Microsoft issued a rare emergency patch for a separate problem in Outlook and IE's VML (Vector Markup Language) rendering engine, after that flaw was widely exploited by attackers. And criminals have also launched extremely limited attacks that exploit an unpatched flaw in PowerPoint.

The VML flaw had first been fixed four days ahead of Microsoft's patch by a group of security researchers calling themselves the Zeroday Emergency Response Team.

This latest bug is not likely to be as widely exploited as the VML vulnerability, Moore said. "This bug is not as severe as the VML flaw, since it depends on ActiveX, and would not be exploitable by default through Outlook," he said in an email.

Nevertheless, Microsoft found the issue to be serious enough to merit a security advisory, published last Thursday.

Microsoft plans to patch the WebViewFolderIcon flaw in its next scheduled set of security updates, due on 10 October.

So far, Microsoft doesn't know of "any attacks attempting to use the reported vulnerability or of customer impact at this time", the security advisory states.

Microsoft does not recommend that users install third-party patches, because it says this software has not gone through the rigorous quality assurance testing process that the firm applies to its security updates.

Determina's patch works on Windows 2000, XP and 2003 systems.


IDG UK Sites

Nokia Lumia 930 review: The flagship Windows Phone 8.1 smartphone

IDG UK Sites

Live Blog: Apple financial results, record June quarter, 35.2m iPhones sold, $37.4b revenue

IDG UK Sites

Welcome to the upgrade cycle - you'll never leave

IDG UK Sites

Why smartphone screens are getting bigger