On CNET: 7 essential free apps for PC
BNET Business Network:
BNET
TechRepublic
ZDNet
96 TalkBacks

By Joris Evers
Posted on ZDNet News: Sep 28, 2005 7:35:00 PM

A new flaw in Internet Explorer could be exploited to launch spoof-based attacks, or access and change data on vulnerable PCs, security experts have warned.

The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote.

The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up.

Fully-patched computers running Windows XP with Service Pack 2 and Internet Explorer 6.0 are vulnerable to this issue, security monitoring company Secunia said in an advisory. Secunia rates the problem as "moderately critical" but says people can avoid the risk by setting the security level in IE to "high."

Microsoft is investigating the vulnerability report, a company representative said in a statement. The software maker is not aware of any attacks that take advantage of the flaw, the representative said. Upon completion of the investigation, Microsoft may provide a security update or emergency fix.

Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.

Over the last weeks, several security researchers have come forward with flaws in Internet Explorer, which is part of Windows. Some of these vulnerabilities could let an intruder gain control of a user's PC. Microsoft initially planned to release at least one patch for Windows earlier this month but pulled it because of quality issues.

Secunia has published 86 security advisories on IE, of which 20 are currently marked "unpatched" in the Secunia database.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 96 Talkback(s)
Dont make me laugh
I have no intrusions into IE, so 50% less is not a priority. Now if you could swear that FF was as internet functional as IE, I might give it a try again (for the third time). But until FF is as web f... (Read the rest)
Posted by: Cayble Posted on: 10/03/05 You are currently: a Guest | | Terms of Use
Rep tells me not to worry..  Mike Cox | 09/28/05
AAAHAHAHAHAHAA  Valis Keogh | 09/28/05
Mike Got Excited!  ericortner | 09/28/05
Mikey Gets a Perfect 10  tbbrickster_z | 09/28/05
Uhh.. What kinda content?  s_gamgee | 09/29/05
Bang - You got me  djc1309@... | 09/28/05
Bang - Bill missed me  jmd8421r | 09/28/05
CSO at M$ Oxymoron  IceTheNet@... | 09/28/05
Over the top.  Immanuel Tranz-Mischen | 09/28/05
Oh PLEASE !!!!!!!!!!  I'm Ye, the MS SHILL . | 09/29/05
Oh dear!  John L. Ries | 09/29/05
Which is more tasty  shallow_diver | 09/29/05
A 10!  abcpc123 | 09/29/05
I'm a day late, but...  sykandtyed | 09/29/05
Say WHAT ???  realitycheck101 | 09/28/05
According to the OS zealots this isn't a flaw...  ye | 09/28/05
I believe it would be more accurate to say...  Zinoron | 09/28/05
You have no point if...  ye | 09/28/05
and you cant have it both ways either  stormdoor | 09/28/05
What makes you think...  ye | 09/28/05
great comeback  stormdoor | 09/28/05
Convince you other wise...  ye | 09/28/05
Firefox still RULES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!  I'm Ye, the MS SHILL . | 09/29/05
Mr. Ye, aren't you Mr. Ou's cousin? Also,  michael_t | 09/28/05
More ad hominem from the OS zealots...  ye | 09/28/05
I consider nothing a threat ...  rick752 | 09/28/05
Then you're different than some OS zealots...  ye | 09/28/05
Absolutely!  rick752 | 09/28/05
I didn't...  ye | 09/29/05
Ou Ye are relatet ...  s_gamgee | 09/29/05
More ad hominems  ye | 09/29/05
Again as with Firefox  Linux User 147560 | 09/28/05
Ya beat me to it.(nt)  IT Scion | 09/28/05
I Read the Original Study -- Firefox Probably Vulnerable Too  PMC-CON | 09/28/05
I'll spare you.  IceTheNet@... | 09/28/05
I use Firefox every day.  PMC-CON | 09/28/05
If Firefox is vulnerable, there's easy workaround  Greenknight_z | 09/29/05
Duh, You Can't Disable Scripting in IE? FF Updates?  PMC-CON | 09/29/05
I Told You So!!!!  IceTheNet@... | 09/28/05
Facts support IE and not FF  ye | 09/28/05
Facts support FF and not IE  stormdoor | 09/28/05
Zealotry will not make it so...  ye | 09/28/05
keep telling yourself that sheep  stormdoor | 09/28/05
Your whining will not change these...  ye | 09/28/05
zealots zealots zealots  stormdoor | 09/28/05
Plenty of ad hominem in your post but still...  ye | 09/28/05
what is FF 1.x I know what IE:6 is  IceTheNet@... | 09/28/05
The reasons for FF's vulnerabilities are...  ye | 09/28/05
The facts apparently do not support you, since you  michael_t | 09/28/05
Where are these mytheical facts...  ye | 09/29/05
Told us so?  bgoodwin777@... | 09/29/05
Dont make me laugh  Cayble | 10/03/05
" Microsoft is unhappy about the way..."  tbbrickster_z | 09/28/05
Firefox 1.07 NOT vulnerable?  rick752 | 09/28/05
Better duck, rick752.  Judas I. | 09/28/05
Let them bring it on ...  rick752 | 09/28/05
I support Open Source and MS products  Monkey_MCSE | 09/28/05
Upgrade coming soon! IE 7 Vista  Pop 3 | 09/28/05
For shame  I'm Ye, the MS SHILL . | 09/29/05
My "favorite software" blog  rick752 | 09/28/05
Here's a smart person...  ye | 09/28/05
who cares  stormdoor | 09/28/05
Typical open source zealor response...  ye | 09/28/05
Whoa ... stormdoor ... take a pill  rick752 | 09/28/05
about as much sh*t as you add  stormdoor | 09/28/05
I take it all back  rick752 | 09/28/05
Firefox is open search, but unstable.  Pop 3 | 09/28/05
???? Not exactly sure what you mean  rick752 | 09/28/05
eEye  IT Scion | 09/28/05
Sorry guys  rick752 | 09/28/05
I just have  IT Scion | 09/28/05
OK, thanx IT  rick752 | 09/28/05
eEye is Selling A Security Product ...  PMC-CON | 09/28/05
To the above replies to my original post  rick752 | 09/28/05
Similar, not the same  Greenknight_z | 09/29/05
What the heck, How do I know if I'm a victim  shadetreeJ | 09/28/05
Reboot !  Pop 3 | 09/28/05
It is very simple to determine this:  michael_t | 09/28/05
Just another shabby imitator.(nt)  ShadeTree | 09/29/05
You're Not!  Pop 3 | 09/28/05
How is this new?  gamerzworld | 09/28/05
What were they thinking?  michael_t | 09/28/05
I am NOT against Windows, IE is the problem!  rick752 | 09/28/05
Strange ending to your post...  Scrat | 09/29/05
Not really  rick752 | 09/29/05
Two Bittyless Articles In A Row  itanalyst | 09/28/05
Message has been deleted  itanal | 09/29/05
Do you trust Internet Explorer?  golfbob | 09/29/05
Microsoft, probing,  Boot_Agnostic | 09/29/05
MS has been probing...  sykandtyed | 09/29/05
Healing through software,  Boot_Agnostic | 09/30/05
So much for anti-virus and anti-spam  Randyz@... | 09/29/05
IE's safety (or lack of) is irrespective...  ye | 09/29/05
Tell me about it  rick752 | 09/29/05
Ya'll MISSED the POINT!  btljooz | 09/29/05
FLAW AN OLD STORY  fakir005@... | 10/01/05

What do you think?

advertisement
advertisement
Click Here

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here