IE browser reaches critical vulnerability
IE browser reaches critical vulnerability
Jan 10, 2005: An advisory has been published that warns users of critical vulnerabilities inside IE 6 which could allow hackers to execute spyware and pornography dialers on computers without the victim knowing anything about it.
Security company Secunia states that the exploit code could be used to infiltrate computers running Windows XP, even if Microsoft's Service Pack 2 patch has been used.
However, the company recommends that users should disable IE's Active X support to prevent the problem from happening, until Microsoft create a suitable patch to match the problem. It also suggests that people should turn to a different browser product.
The Secunia Advisory says: "Some vulnerabilities have been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP Sp2."
The three vulnerabilities are:
"1. Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious website to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
"2. A security site/ zone restriction error, where an embedded HTML Help control on e.g. a malicious website references a specially crafted index (.hhk) file, can educate local HTML documents or inject arbitrary script code in context a previous loaded document using a malicious javascript URI handler.
"Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.
"3. A security site/zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones."
Secunia has released a test here, so that users can check if their browser is affected by these vulnerabilities.
Staff at Secunia have said that Microsoft have known about the vulnerabilities for the last two months, and they are surprised that it has more released a patch yet for them.
However, Microsoft has said that it is working hard to develop patches for these problems, but the reason for the delay is because it is making sure that the patch is robust enough to completely stop the problem.
Microsoft has suggested that people should check its safe browsing guidelines here to help them deal with the problems.
Related Article: