A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.
Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.
"They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."
This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.
Microsoft acknowledged the latest issue and said more fixes would be forthcoming.
"The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports".
The most recent flaw is not new -- security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.
"Most exploits we are seeing developed today are composed of multiple vulnerabilities, [each one] bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."
Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.
Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternative browsers. The Computer Emergency Response Team, the official US body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.
Microsoft recommends that users go to the company's Protect Your PC site for the latest information.
