Internet Explorer Flaw Still Under Investigation
- By Scott Bekker
- July 11, 2005
-- The July patches are posted as of 1:40 p.m. Eastern time July 12. The fix for this flaw IS included. Click here for the story.
Microsoft continues to investigate a vulnerable component in Internet Explorer for which it posted a kill bit last week, but it is unlikely the software giant will include the fix as part of its monthly patching event on Tuesday.
In the worst case, the flaw can allow an attacker to take complete control of a victim's computer over the Internet. While no reports of attacks using the vulnerability have been reported to Microsoft, details of the flaw are public, creating a dangerous situation.
The flaw involves a COM object called the JVIEW Profiler (Javaprxy.dll), an optional component in the browser that provides an interface to a debugger in the Microsoft Java Virtual Machine. The JVIEW Profiler is not included by default in several versions of Internet Explorer, but it can be installed by applications with the Microsoft Java Virtual Machine or during an operating system upgrade.
After acknowledging the vulnerability in a security advisory on June 30, Microsoft completed an initial investigation and recommended disabling Javaprxy.dll. Last week Microsoft posted several downloads of kill bits to disable the component. The executable kill bit gives users a way to make the necessary change without trying to edit the Registry, where minor mistakes can have disastrous consequences for a system.
In the version of its security advisory with links to the downloads, Microsoft promised a complete fix for the issue will be released in an upcoming security bulletin. The advisory underscored the severity of the issue by raising the possibility that the bulletin could be released between monthly patch release dates.
The next monthly patch release date is Tuesday. Microsoft notified customers late last week that three bulletins were coming -- two for Windows and one for Office. While Microsoft could turn around and issue a bulletin for Internet Explorer on Tuesday, as well, the fact that Internet Explorer wasn't mentioned in the advance notification makes that unlikely. Microsoft's next monthly patching date falls on Aug. 9.
The Microsoft security advisory about the JVIEW Profiler is available at www.microsoft.com/technet/security/advisory/903144.mspx.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.