IE Exploit Attacks Another Piece of ActiveX

IE Exploit Attacks Another Piece of ActiveX:
"Using Internet Explorer hasn't gotten any safer in the past few days as a Dutch security hacker, Jelmer Kuperus, pointed out yet another unblocked security problem in the popular Web browser.

The latest exploit, an attack on a Windows ActiveX component called Shell.Application, is similar to the Download.Ject attack, also called JS.Scob.Trojan. In that exploit, crackers broke into IIS servers on several popular but still unnamed sites and used them to spread keyboard loggers, proxy servers and other malware through IE's ActiveX scripting technology."

Indeed, attackers used the spyware technique of installing a pop-up ad program, except this one silently installed a Trojan and a BHO (Browser Help Object) designed to swipe login information from several dozen financial sites.

The sites that spread the malware have since been fixed, but there has been no master shipping solution for the underlying IE vulnerabilities. Disabling Active scripting and ActiveX controls in the Internet Zone and Local Machine Zone will prevent exploitation of these holes, but at the cost of seriously affecting IE's functionality.

Microsoft shipped a "patch" Friday that addressed part of this security problem by disabling the Windows component called ADODB.Stream.…

http://www.eweek.com/article2/0,1759,1620855,00.asp?kc=ewnws070804dtx1k0000599