[ISN] IE flaw threat hits the roof

InfoSec News isn at c4i.org
Mon Jan 10 10:18:10 EST 2005


By Dawn Kawamoto 
Staff Writer, CNET News.com
January 7, 2005

Three unpatched flaws in Internet Explorer now pose a higher danger, a
security company warned, after code to exploit one of the issues was
published to the Internet.

Secunia said Friday that it had raised its rating of the
vulnerabilities in Microsoft's browser to "extremely critical," its
highest rating. The flaws, which affect IE 6, could enable attackers
to place and execute programs such as spyware and pornography dialers
on victims' computers without their knowledge, said Thomas Kristensen,
Secunia's chief technology officer.

Exploit code for one of the vulnerabilities, a flaw in an HTML Help
control, was published on the Internet on Dec. 21 in an advisory by
GreyHats Security Group.

"In order for us to rate a vulnerability as extremely critical, there
has to be a working exploit out there and one that doesn't require
user interaction," Kristensen said. "This is our highest rating and is
the last warning for users to fix their systems."

The exploit code can be used to attack computers running Windows XP
even if Microsoft's Service Pack 2 patch has been installed, Secunia
said. The company is advising people to disable IE's Active X support
as a preventative measure, until Microsoft develops a patch for the
problem. It also suggests using another browser product.

The Secunia advisory also warns of another HTML Help control
vulnerability that, when used in combination with a drag-and-drop
flaw, could be used to attack PCs--though in that case, it would have
to be with the interaction of the victim. The company first issued an
alert about the three security holes in October.

"Microsoft knew of this back in October," Kristensen said. "In my
opinion, it's not fair to have a vulnerability known for two months
without having an available patch, especially when every little detail
(of the vulnerability) is out there."

"Microsoft is now aware of all three issues, and I'm sure they're
giving it an even higher priority," he added.

Microsoft said it was investigating the public reports of the exploit,
adding that the delay in fixing the IE patch was related to the
extensive work needed to produce an effective patch.

"It's important to note that security response requires a balance
between time and testing, and Microsoft will only release an update
that is as well engineered and thoroughly tested as possible--whether
that is a day, week, month or longer," a Microsoft representative
said. "In security response, an incomplete security update can be
worse than no patch at all if it only serves to alert malicious
hackers to a new issue."

The company is advising people to check its safe browsing guidelines
and to set their Internet security zone settings to "high." It also
suggests that people continue installing automatic security updates
from Service Pack 2.

This latest discovery marks another setback in Microsoft's efforts to
shore up its security. When Microsoft launched SP2 in August, Chair
Bill Gates touted it as a significant step in fortifying systems
against attacks.

Secunia also offers users the ability to conduct an online test of
their systems to see if they are vulnerable.

More information about the ISN mailing list