Just one day after raising the threshold beyond which it considers security vulnerabilities "critical", Microsoft Corp released a security advisory saying there is a "critical" hole in its browsers and web servers that could cause serious problems, even if it is patched.
There is an unchecked buffer in Microsoft Data Access Components (MDAC) prior to version 2.7, the company said. MDAC is a "ubiquitous" technology used in Internet Explorer and the IIS web server. The buffer can be overrun with a malformed HTTP request, allowing arbitrary code to be executed on the target machine.
"This vulnerability is rated critical because an attacker could take over an IIS server or an Internet Explorer client and run code," Microsoft warned. "Any IIS server with MDAC and all Internet Explorer clients should apply the patch immediately."
Since Tuesday, Microsoft has defined "critical" as: "A vulnerability whose exploitation could allow the propagation of an internet worm without user action." This suggests this latest vulnerability could give rise to a virus as dangerous as Code Red, which spread to thousands of IIS servers last year.
To make matters worse, it is currently possible to make patched systems vulnerable again, Microsoft said.
Normally, when an ActiveX control is vulnerable to an attack, Microsoft's patch merely delivers a new, invulnerable control and sets a "Kill Bit" on the old one. Controls with set Kill Bits cannot be invoked by Internet Explorer. However, in this case it is not possible to set the Kill Bit without rendering countless web sites unreadable, Microsoft said.
A malicious attacker would be able to reintroduce the vulnerable control with just a specially HTML document. Users that have their browsers configured to trust Microsoft-signed ActiveX controls by default would have the vulnerability reintroduced without their knowledge.
Without a hint of irony, the company recommends removing "Microsoft" from IE's Trusted Publisher list (accessible via IE's Internet Options menu), in order to prompt a warning whenever a Microsoft-signed ActiveX control attempts to install itself. The company is working on a more permanent fix.