Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Two New IE Bugs Uncovered

Security analysts Wednesday warned users of a pair of unpatched bugs in Microsoft's popular Internet Explorer browser that may soon be in play because proof-of-concept code has gone public for both.

The two vulnerabilities have been detailed on the Full Disclosure security mailing list, and were the root of alerts issued by the SANS Institute's Internet Storm Center and Symantec Corp. on Wednesday.

One vulnerability lets attackers execute their code remotely if they can dupe users into double-clicking on a file included in a malicious Web page. The Internet Storm Center claimed that the current proof-of-concept exploit code requires this kind of user interaction, but that went on to warn that "we can expect to find creative use of this exploit in the wild very soon." According to the ISC, disabling IE's active scripting capabilities might protect against an exploit of the bug.

The second flaw is due to a failure of IE to enforce cross-domain policies, Symantec said in a warning to customers of its DeepSight threat system. IE, which has been victimized by numerous cross-domain vulnerabilities, could be exploited to hijack usernames and passwords.

"This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites [that the] user is logged into (for example, webmail) and harvest user credentials," said the ISC note. "Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs."

  • 1