Security researchers have informed Microsoft of a bypass and cross-zone scripting vulnerability in Windows XP that could allow hackers to gain full control over and remotely execute code on user’s machines using Internet Explorer (IE).
Microsoft fixed the bug Tuesday as part of its regular Patch Tuesday security bulletin release.
This Remote Data Service (RDS) object flaw applies to fully patched Windows XP SP2 systems and users of Internet Explorer version 7.0b1.
Finjan provided Microsoft with full technical details, including proof of concept code, concerning this vulnerability and assisted the software giant with the fix. According to its code of ethics, Finjan said it does not publish technical details about vulnerabilities.
RDS is part of the Microsoft Data Access Components (MDAC) library and enables the creation and execution of objects that are not allowed to run by Internet Explorer. By exploiting this vulnerability, a hacker could have bypassed security restrictions imposed on objects and run them in the "Internet Zone."
In addition, the vulnerability could give a hacker full control over the user's machine, including access to information and write privileges to the local file system.
"This discovery is an excellent example of the shared efforts and close cooperation between Finjan's Malicious Code Research Center (MCRC) and Microsoft with the goal of securing users from potential malicious attacks," said Yuval Ben-Itzhak, chief technology officer at Finjan.