[ISN] Microsoft investigating reports of new IE hole

InfoSec News isn at c4i.org
Fri Nov 5 03:19:24 EST 2004


http://www.nwfusion.com/news/2004/1104microinves.html

By Joris Evers
IDG News Service
11/04/04

Microsoft is investigating reports of a serious security flaw in
Internet Explorer, but has not yet seen malicious code that exploits
the reported flaw, the company said Thursday.

Security experts earlier this week warned that code exploiting a newly
discovered security hole in IE is circulating on the Internet. The
code exploits a buffer overflow vulnerability in IE 6 and has been
confirmed on PCs running Windows XP with Service Pack 1 and Windows
2000, according to Danish Security company Secunia.

The U.S. Computer Emergency Readiness Team (CERT) issued an alert
similar to the Secunia advisory. CERT warns that aside from the Web
browser, applications such as e-mail clients that rely on browser
controls may also be vulnerable. Attackers could gain complete control
over a victim's computer by exploiting the flaw, according to Secunia
and CERT.

Microsoft is investigating the possible vulnerability, the company
said in a statement. However, while Secunia and CERT raise alarm over
code exploiting the vulnerability being publicly available, Microsoft
said it has not seen that yet. "We have not been made aware of any
active exploits of the reported vulnerabilities or customer impact at
this time, but we are aggressively investigating the public reports,"  
the company said.

The flaw lies in the way IE handles the SRC and NAME attributes of the
"frame" and "iframe" HTML elements, according to the CERT alert.. A
user could be attacked via a Web page containing malicious code or an
HTML e-mail message.

There is no patch for this flaw, but computers running Windows XP
Service Pack 2 appear to be protected, according to Secunia and CERT.

Upon completing its investigation, Microsoft said it will take the
appropriate action to protect Windows users. This may include
providing a fix through its monthly patch release process or an
out-of-cycle security update, the company said.





More information about the ISN mailing list