[ISN] Microsoft Investigates New IE Hole

InfoSec News isn at c4i.org
Wed Aug 31 04:04:04 EDT 2005


By Paul F. Roberts 
August 30, 2005 

Microsoft is investigating another critical hole in its Internet
Explorer Web browser.

The hole, if left unpatched, could allow remote attackers to take
control of Windows XP machines running Service Pack 2 and Internet
Explorer 6 using silent attacks that are launched from malicious Web

The remotely exploitable hole can be used to compromise fully patched
Windows XP SP2 computers and there is no way to block attacks,
according to Tom Ferris, the independent researcher who found the

News of the critical, unpatched hole comes just weeks after a report
on another critical Windows hole [1] from Ferris, who uses the online
name "badpack3t."

"It's a pretty nasty flaw," Ferris said on Tuesday.

"If a user visits a malicious Web site, the [attack] code can be
executed without them even knowing about it—there's no pop-up or crash
screen," he said.

Microsoft Corp. acknowledged in an e-mail that it received Ferris's
report and is "aggressively investigating" the flaw.

The Redmond, Wash., company is not aware of attacks that try to use
the reported vulnerabilities or of any customer impact, according to a
company spokesperson.

Ferris declined to give details about where in IE he found the hole,
but said it is not a variant of other known flaws in the widely used
Web browser.

"It's not like any other flaw in IE—it's definitely different," Ferris

Ferris, an independent security researcher who lives in Mission Viejo,
Calif., and operates the SecurityProtocols.com Web site, said he told
Microsoft about it on Aug. 14 using the secure at microsoft.com e-mail
address and has exchanged e-mail with a company researcher since then,
but hasn't heard anything from the company in a week.

He said staff at Microsoft appeared to be struggling to understand the

"I've given them more than enough information to understand it 
they keep asking for more details," he said.

Ferris did not provide proof-of-concept code that shows how the hole
can be used to gain remote access to affected machines, but did
provide proof-of-concept code that crashes IE.

"It's a blatant access violation crash," he said.

Microsoft said it would take action to address Ferris's report when it
completes its investigation.

If Ferris's reported vulnerability holds up, possible remedies could
include an unscheduled security patch or a patch released on the
company's regular monthly schedule, according to the Microsoft

Ferris hasn't tested the hole on other versions of Windows XP or
Internet Explorer and doesn't know if it will work on other versions
of those products.

He said he doesn't believe that other people have discovered the hole,
though he acknowledged that he might not be the only researcher who
had discovered it.

Windows XP SP2 users who also use Internet Explorer Version 6 have few
options for protecting themselves from attacks that use the

Changing the Internet Explorer security settings will not stop attack
code from executing on affected systems, and firewall and host
intrusion detection products that Ferris tested did not detect the
exploit, he said.

Ferris suggested IE users concerned about being attacked using the
flaw should switch to other Web browsers until Microsoft has patched
the hole.

Microsoft encourages security researchers like Ferris to follow
"responsible disclosure" practices and not to publicize holes before a
patch is available.

Ferris said he is aware of the company's position and considers
himself in a "grey area," because he has not released any details
about the vulnerability he found.

Ferris said that he publicized the existence of a hole to warn IE
users, who might consider refraining from using the browser until the
hole is fixed.

[1] http://security-protocols.com/modules.php?name=News&file=article&sid=2783

More information about the ISN mailing list