On CBS MoneyWatch: The Real 'Best Colleges' in the U.S.
BNET Business Network:
BNET
TechRepublic
ZDNet
46 TalkBacks

By Robert Lemos
Posted on ZDNet News: Nov 4, 2004 9:13:00 PM

The threat posed by a critical flaw in Internet Explorer has been ratcheted up by the release of a program designed to exploit the vulnerability, security researchers warned on Thursday.

Security information provider Secunia raised the buffer overflow flaw to its highest rating in a new advisory. The vulnerability, which was made public on Tuesday, could be used to make Internet Explorer trigger a malicious program when the Microsoft browser loads a specially formatted Web page. The flaw does not affect Windows XP Service Pack 2, Secunia said.

"This advisory has been rated 'extremely critical,' as a working exploit has been published on public mailing lists," the company said.

The Iframe flaw is the latest in a series of security issues related to Internet Explorer. This week, ScanSafe found that a flaw in the browser had racked up the highest number of attacks for one exploit in the second quarter. In addition, Microsoft has been drawn into a debate whether a spoofing technique that uses Internet Explorer can be described as a flaw. Last month, security companies sent out a warning that a set of security holes affected Microsoft's browser among other major Web software.

Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an e-mail statement to CNET News.com.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.

The software company took issue with the public release of the vulnerability before it had been notified.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

For now, users can upgrade to Windows XP SP 2 or use a different browser.

The U.S. watchdog for Internet threats, the Computer Emergency Readiness Team (CERT), has also warned government and industry users about the Iframe flaw. According to the US-CERT advisory, the problem is caused by how Internet Explorer handles certain attributes of frames, which is a way of displaying Web content in separate parts of the browser window.

The US-CERT alert notes that other programs using the WebBrowser Active X control, could be affected by the vulnerability. These programs include Microsoft's Outlook and Outlook Express, America Online's browser, and Lotus Notes.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 46 Talkback(s)
Only hackers and MS should know? Rubbish!
Hah! I was saying that your post was Un-American, because it suggested that obstruction of the free flow of communication was some kind of solution. If you don't want to know about vulnerabilities, wo... (Read the rest)
Posted by: Kaavin Posted on: 01/14/05 You are currently: a Guest | | Terms of Use
I'm Finally Fed Up with IE  DaffyDuck | 11/04/04
Look, ANOTHER Security Flaw!!!  itanalyst | 11/04/04
(nt) Already patched with SP2  d_jedi | 11/04/04
I will not install SP2, screws up too many things (NT)  Harry Butts | 11/04/04
(nt) The security flaws screw things up much more than the service pack  d_jedi | 11/04/04
No problem here. Of course I gave it a month or two first ...  ac2_z | 11/04/04
SP2  benf_z | 11/05/04
Win 2k status  sbj | 11/04/04
using firefox is a lot easier  JasonL31 | 11/07/04
ZDNet, fix your freakin links.  No_Ax_to_Grind | 11/04/04
Which ones are busted? (nt)  S.Howard-SarinZDNet Moderator | 11/04/04
Don't worry, he's just off his meds again. (nt)  Plain Logic | 11/04/04
ALL OF THEM  Valis Keogh | 11/04/04
OK, got it.  S.Howard-SarinZDNet Moderator | 11/05/04
stupid dw.com.com  Valis Keogh | 11/04/04
Public Executions  The Outlaw | 11/04/04
Wrong ...  Plain Logic | 11/04/04
Wrong  AMARTEL | 11/05/04
Not A Bad Idea  ChuTw | 11/04/04
Public Executions  CodeBubba | 11/05/04
Additional Note to whiners  The Outlaw | 11/05/04
Look who is whinning  bugmenotznet | 11/07/04
whinning???  gallagher39 | 11/09/04
Time to start sueing for GROSS NEGLIGENCE....  Plain Logic | 11/04/04
Who do you sue?  bug-lover | 11/04/04
Sue yourself, Dude  Kaavin | 11/04/04
very interesting post kaavin...  Monkey_MCSE | 11/04/04
I think YOU missed the point, dude!  bug-lover | 11/04/04
Only hackers and MS should know? Rubbish!  Kaavin | 01/14/05
Mulling over the profits in Patent Lawsuits  FilledOut | 11/05/04
Time to start sueing for GROSS NEGLIGENCE....  CodeBubba | 11/05/04
Mozilla Firefox - good alternative to IE  vmolotsky | 11/04/04
Biggest flaw is Microsoft.  DJnRF | 11/04/04
Besides security no other reason to use Mozilla  armando700@... | 11/04/04
Apart from "not running Windows", perhaps?  Zogg | 11/05/04
Ehh. Did you actually try it?  MetaVoid | 11/05/04
Would you please enumerate the ways?  Taz_z | 11/05/04
firefox out does IE  voska | 11/06/04
IE fixes make machines unstable  steveb39 | 11/05/04
Didn't have probs  FilledOut | 11/05/04
IE Fixes makes machines unstable...  PhoenixStorm26 | 11/05/04
So what finally was the solution?  FilledOut | 11/05/04
Microsoft don't care, you "I Agreed" to the EULA  whisperycat | 11/05/04
EULAs..  d_jedi | 11/05/04
How is it different?  michael-t | 11/05/04
Won't someone think of the coders, think of the coders  FilledOut | 11/05/04

What do you think?

advertisement
advertisement
Click Here

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here