Saturday, January 08, 2005

Three unpatched flaws in Internet Explorer

Three unpatched flaws in Internet Explorer:

“Secunia said Friday that it had raised its rating of the vulnerabilities in Microsoft's browser to "extremely critical," its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer.

Exploit code for one of the vulnerabilities, a flaw in an HTML Help control, was published on the Internet on Dec. 21 in an advisory by GreyHats Security Group.

"In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems."

The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. It also suggests using another browser product.

The Secunia advisory also warns of another HTML Help control vulnerability that, when used in combination with a drag-and-drop flaw, could be used to attack PCs--though in that case, it would have to be with the interaction of the victim. The company first issued an alert about the three security holes in October.”

Microsoft said it was investigating the public reports of the exploit, adding that the delay in fixing the IE patch was related to the extensive work needed to produce an effective patch.

The company is advising people to check its safe browsing guidelines and to set their Internet security zone settings to "high." It also suggests that people continue installing automatic security updates from Service Pack 2.

Secunia also offers users the ability to conduct an online test of their systems to see if they are vulnerable.

http://dw.com.com/redir?destUrl=http%3A%2F%2Fsecunia.com%2Finternet_explorer_command_execution_vulnerability_test%2F&siteId=22&oId=2100-1009-5517457&ontId=1009&lop=nl.ex

http://news.zdnet.com/2100-1009_22-5517457.html?tag=nl.e589
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)