 |
 New year doesn't save Microsoft from new portions of IE vulnerabilities, this time menacingly critical
January 10, 2005
Three unpatched flaws in Internet Explorer now pose a higher danger, a security company Secunia warned, after code to exploit one of the issues was published to the Internet.
Secunia said Friday that it had raised its rating of the vulnerabilities in Microsoft's browser to "extremely critical," its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute malicious programs such as spyware or Trojans, launch phishing attacks on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer.
"In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems."
The GreyHats Security Group has published in its December 21 advisory the exploit code for one of the vulnerabilities, a flaw in an HTML Help control, which showed how the vulnerability could be used to allow hackers compromise the unprotected machines.
The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. This can be done by setting Internet Explorer's security level to "high" with the following succession of mouse clicks: IE-->Tools-->Internet Options-->Security -->Internet-->Custom Level-->Reset to: High-->OK. The company also suggests using another browser product.
The vulnerability was originally discussed as the Drag'n'Drop vulnerability back in October 2004. The new development only utilises flaws in the HTML Help control.
"Microsoft knew of this back in October," said Thomas. "In my opinion, it's not fair to have a vulnerability known for two months without having an available patch, especially when every little detail (of the vulnerability) is out there."
"Microsoft is now aware of all three issues, and I'm sure they're giving it an even higher priority," he added.
Microsoft said it was investigating the reports on this exploit, adding that the delay in fixing the IE patch was related to the extensive work needed to produce an effective patch.
"It's important to note that security response requires a balance between time and testing, and Microsoft will only release an update that is as well engineered and thoroughly tested as possible--whether that is a day, week, month or longer," a Microsoft representative said. "In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue."
Thus far, there's no patch to address the situation, and users of IE should enable Windows Update to be able to apply the patch immediately after it is released from Microsoft. In the meantime, you can follow a link to the Secunia's site and click "Test Your System there to see how vulnerable your machine is to this type of PC threat.
|
|
