Microsoft Corp. has released software that can be used to mitigate a critical vulnerability in Internet Explorer that was first reported last week.
The bug, which concerns the way Internet Explorer (IE) handles ActiveX components, can cause the browser to crash and could be used by an attacker to run unauthorized software on the IE user’s machine, according to Microsoft.
On Tuesday, Microsoft released software that in the registry disables a file called Javaprxy.dll, which is used to run these components in IE. This file is used by the Microsoft Java Virtual Machine, according to Microsoft.
Microsoft has not yet decided whether it will release a software patch that would fix the underlying problem, a spokeswoman for Microsoft’s public relations agency said. “The workaround that they’ve offered here doesn’t fix the underlying vulnerability, but it removes the functionality,” she said.
Danish security company Secunia gave the vulnerability its most serious rating, calling it “extremely critical.”
The Austrian security researchers who discovered the flaw expect Microsoft eventually to issue a full-blown patch. “Right now it’s not that dangerous,” said Martin Eisner, chief technical officer with security consulting company SEC Consult Unternehmensberatung GmbH. “But of course within a couple of weeks there will be somebody who has a little bit more time than we have and there will be an exploit then,” he said in an interview last week.
The software vendor does not yet know of any software that has exploited the bug, the Microsoft spokeswoman said Tuesday.
Microsoft has issued a Security Advisory that provides more details on the bug and lists other possible workarounds to the problem. It can be found here.