Security threats Toolkit

IE flaw danger increases as exploit code released

Published: 05 Nov 2004 08:23 GMT

The threat posed by a critical flaw in Internet Explorer has been ratcheted up by the release of a program designed to exploit the vulnerability, security researchers warned on Thursday.

Security information provider Secunia raised the buffer overflow flaw to its highest rating in a new advisory. The vulnerability, which was made public on Tuesday, could be used to make Internet Explorer trigger a malicious program when the Microsoft browser loads a specially formatted Web page. The flaw does not affect Windows XP Service Pack 2, Secunia said.

"This advisory has been rated 'extremely critical', as a working exploit has been published on public mailing lists," the company said.

The Iframe flaw is the latest in a series of security issues related to Internet Explorer. This week, ScanSafe found that a flaw in the browser had racked up the highest number of attacks for one exploit in the second quarter. In addition, Microsoft has been drawn into a debate whether a spoofing technique that uses Internet Explorer can be described as a flaw. Last month, security companies sent out a warning that a set of security holes affected Microsoft's browser among other major Web software.

Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an email statement to ZDNet UK sister site CNET News.com.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.

The software company took issue with the public release of the vulnerability before it had been notified.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

For now, users can upgrade to Windows XP SP 2 or use a different browser.

The US watchdog for Internet threats, the Computer Emergency Readiness Team (CERT), has also warned government and industry users about the Iframe flaw. According to the US-CERT advisory, the problem is caused by how Internet Explorer handles certain attributes of frames, which is a way of displaying Web content in separate parts of the browser window.

The US-CERT alert notes that other programs using the WebBrowser Active X control, could be affected by the vulnerability. These programs include Microsoft's Outlook and Outlook Express, America Online's browser, and Lotus Notes.