Results 1 to 3 of 3

Thread: IE flaw threat hits the roof

Hybrid View

  1. #1
    Join Date
    Aug 2004
    Toronto, Canada
    IE flaw threat hits the roof

    Three unpatched flaws in Internet Explorer now pose a higher danger, a security company warned after code to exploit one of the issues was published to the Internet.

    Secunia said Friday it has raised its rating of the vulnerabilities in Microsoft's browser to "extremely critical," its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer.

    Exploit code for one of the vulnerabilities, a flaw in an HTML Help control, was published on the Internet on Dec. 21 in an advisory by GreyHats Security Group.

    "In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems."

    The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. It also suggests using another browser product.

    The Secunia advisory also warns of another HTML Help control vulnerability that, when used in combination with a drag-and-drop flaw, could be used to attack PCs--though in that case, it would have to be with the interaction of the victim. The company first issued an alert about the three security holes in October.

    "Microsoft knew of this back in October," Kristensen said. "In my opinion, it's not fair to have a vulnerability known for two months without having an available patch, especially when every little detail (of the vulnerability) is out there."

    "Microsoft is now aware of all three issues, and I'm sure they're giving it an even higher priority," he added.

    Microsoft said it was investigating the public reports of the exploit, adding that the delay in fixing the IE patch was related to the extensive work needed to produce an effective patch.

    "It's important to note that security response requires a balance between time and testing, and Microsoft will only release an update that is as well engineered and thoroughly tested as possible--whether that is a day, week, month or longer," a Microsoft representative said. "In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue."

    The company is advising people to check its safe browsing guidelines and to set their Internet security zone settings to "high." It also suggests people continue installing automatic security updates from Service Pack 2.

    This latest discovery marks another setback in Microsoft's efforts to shore up its security. When Microsoft launched SP2 in August, Chairman Bill Gates touted it as a significant step in shoring up systems against attacks.

    Secunia also offers users the ability to conduct an online test of their systems to see if they are vulnerable.

  2. #2
    Senior Member
    Join Date
    Jan 2005
    Neer Springfield, MA
    ouch, that sucks......i better run my spyware scanner...
    "If you enjoy what you do, you'll never work another day in your life."

    My man confucius said it well :D

    Why is my signature text blue I did not make it like that??

  3. #3
    Join Date
    Jan 2005

Similar Threads

  1. New MSN Messenger 7.5 Beta Hits the Web
    By RickDev in forum Windows - General Topics
    Replies: 0
    Last Post: 07-20-2005, 06:31 PM
  2. FireFox Hits 25,000,000 DLs
    By in forum General Chat
    Replies: 13
    Last Post: 02-24-2005, 03:17 AM
  3. MySQL worm hits Windows systems
    By genesis in forum Windows - General Topics
    Replies: 0
    Last Post: 01-27-2005, 10:59 PM
  4. Microsoft Warns SEC of Open-Source Threat
    By cloverm in forum General Chat
    Replies: 1
    Last Post: 02-05-2003, 12:14 AM
  5. Greatest threat to the future of GNU/Linux
    By cloverm in forum General Chat
    Replies: 5
    Last Post: 09-30-2002, 07:45 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts