Secunia released an advisory (SA16480) on August 18 outlining a vulnerability with the msdss.dll file. According to the Secunia Advisory, exploiting the vulnerability by calling the msdss.dll COM object from within Internet Explorer can cause the browser to crash and may allow an attacker to execute malicious code on the vulnerable system.
According to Secunia and US-CERT, exploit code is available in the wild for this vulnerability. Because it is a zero day exploit, Microsoft is still investigating and has not released any patches or updates to fix the flaw or protect vulnerable systems.
Microsoft has released a bulletin providing what details they currently have about the vulnerability though. The msdss.dll file does not ship with Microsoft Windows itself and is not part of Internet Explorer. However, it is installed with a variety of very popular applications including the Microsoft Visual Studio development suite and the Microsoft Office productivity suite, making the file available on a vast number of Microsoft Windows machines.
While they investigate the issue and work on creating a long-term solution or patch to address the vulnerability, Microsoft has published a list of workarounds to help protect vulnerable systems which includes:
- Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones
- Change your Internet Explorer to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone
- Disable the Microsoft DDS Library Shape Control (Msdds.dll) COM object from running in Internet Explorer
- Unregister the Msdds.dll COM Object
- Modify the Access Control List on Msdds.dll to be more restrictive
For more information about these workarounds, see the Microsoft bulletin.