News

Internet Explorer Flaw Still Under Investigation

UPDATE -- The July patches are posted as of 1:40 p.m. Eastern time July 12. The fix for this flaw IS included. Click here for the story.

Microsoft continues to investigate a vulnerable component in Internet Explorer for which it posted a kill bit last week, but it is unlikely the software giant will include the fix as part of its monthly patching event on Tuesday.

In the worst case, the flaw can allow an attacker to take complete control of a victim's computer over the Internet. While no reports of attacks using the vulnerability have been reported to Microsoft, details of the flaw are public, creating a dangerous situation.

The flaw involves a COM object called the JVIEW Profiler (Javaprxy.dll), an optional component in the browser that provides an interface to a debugger in the Microsoft Java Virtual Machine. The JVIEW Profiler is not included by default in several versions of Internet Explorer, but it can be installed by applications with the Microsoft Java Virtual Machine or during an operating system upgrade.

After acknowledging the vulnerability in a security advisory on June 30, Microsoft completed an initial investigation and recommended disabling Javaprxy.dll. Last week Microsoft posted several downloads of kill bits to disable the component. The executable kill bit gives users a way to make the necessary change without trying to edit the Registry, where minor mistakes can have disastrous consequences for a system.

In the version of its security advisory with links to the downloads, Microsoft promised a complete fix for the issue will be released in an upcoming security bulletin. The advisory underscored the severity of the issue by raising the possibility that the bulletin could be released between monthly patch release dates.

The next monthly patch release date is Tuesday. Microsoft notified customers late last week that three bulletins were coming -- two for Windows and one for Office. While Microsoft could turn around and issue a bulletin for Internet Explorer on Tuesday, as well, the fact that Internet Explorer wasn't mentioned in the advance notification makes that unlikely. Microsoft's next monthly patching date falls on Aug. 9.

The Microsoft security advisory about the JVIEW Profiler is available at www.microsoft.com/technet/security/advisory/903144.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus