Microsoft issues patch for three new holes in IE

December 18, 2001

Microsoft has urged users of its IE browser to download a patch to fix three new security holes and all prior known vulnerabilities.

All of the flaws affect Internet Explorer 6.0, and two of them also affect IE 5.5.

The most critical flaw involves a bug in the Microsoft.XMLHTTP component shipped with Internet Explorer version 6.0 which allows reading and sending local files. Using this exploit a hacker could force IE to open an executable file upon download, without asking the user for permission. As a result, a hacker could create an HTML mail message or Web page capable of automatically running code on a vulnerable computer.

The second flaw affects both 5.5 and 6.0 versions of Internet Explorer. This vulnerability is a variation of a previously discovered bug that enables a Web-site operator to open two browsers, one in the site's domain and another on the victim's computer, and transfer information from one to the other. This enables the attacker to read, but not modify, files on the victim's computer that can be opened in a browser, such as HTML or image files.

The third vulnerability in IE 5.5 and 6.0 under certain circumstances allows a hacker to change the name of a file in the dialog box that appears when a file is being downloaded from the Net. The flaw can be exploited via HTML mail or a Web page and can be used to trick users into opening malicious files.

Microsoft urges all users using IE to "install the patch immediately".

To download the patch click here