Internet Explorer Flaw Still Under Investigation -- Redmondmag.com

Internet Explorer Flaw Still Under Investigation

By Scott Bekker
07/11/2005

UPDATE -- The July patches are posted as of 1:40 p.m. Eastern time July 12. The fix for this flaw IS included. Click here for the story.

Microsoft continues to investigate a vulnerable component in Internet Explorer for which it posted a kill bit last week, but it is unlikely the software giant will include the fix as part of its monthly patching event on Tuesday.

In the worst case, the flaw can allow an attacker to take complete control of a victim's computer over the Internet. While no reports of attacks using the vulnerability have been reported to Microsoft, details of the flaw are public, creating a dangerous situation.

The flaw involves a COM object called the JVIEW Profiler (Javaprxy.dll), an optional component in the browser that provides an interface to a debugger in the Microsoft Java Virtual Machine. The JVIEW Profiler is not included by default in several versions of Internet Explorer, but it can be installed by applications with the Microsoft Java Virtual Machine or during an operating system upgrade.

After acknowledging the vulnerability in a security advisory on June 30, Microsoft completed an initial investigation and recommended disabling Javaprxy.dll. Last week Microsoft posted several downloads of kill bits to disable the component. The executable kill bit gives users a way to make the necessary change without trying to edit the Registry, where minor mistakes can have disastrous consequences for a system.

In the version of its security advisory with links to the downloads, Microsoft promised a complete fix for the issue will be released in an upcoming security bulletin. The advisory underscored the severity of the issue by raising the possibility that the bulletin could be released between monthly patch release dates.

The next monthly patch release date is Tuesday. Microsoft notified customers late last week that three bulletins were coming -- two for Windows and one for Office. While Microsoft could turn around and issue a bulletin for Internet Explorer on Tuesday, as well, the fact that Internet Explorer wasn't mentioned in the advance notification makes that unlikely. Microsoft's next monthly patching date falls on Aug. 9.

The Microsoft security advisory about the JVIEW Profiler is available at www.microsoft.com/technet/security/advisory/903144.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.