Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Microsoft Investigating New IE Flaw

By Nate Mook, BetaNews

September 29, 2005, 1:03 PM

Microsoft says it is investigating a report of a new vulnerability discovered in Internet Explorer that stems from XmlHttpRequest, a JavaScript object used in AJAX Web applications such as Google Maps. In an advisory, security firm Secunia says the flaw affects IE6 on a fully patched Windows XP SP2 system.

According to the initial paper detailing the problem written by Amit Klein, Internet Explorer can be fooled into running arbitrary HTTP requests. "IE doesn't validate some critical fields that are provided by the user," Klein said.

"Input passed to the method parameter in the "open()" function in the "Microsoft.XMLHTTP" ActiveX control isn't properly sanitised before being used," Secunia explained. "Successful exploitation requires that the HTTP request is sent to a server or via a proxy allowing tab characters instead of spaces in certain parts of the HTTP request."

In a statement, Microsoft said it was looking into the vulnerability, but was not aware of any attacks exploiting the flaw. As per its standard security policy, the company may issue an update as part of its monthly Patch Tuesday or provide an emergency fix.

Secunia has labeled the vulnerability risk "Moderately critical" and recommends that Internet Explorer users set their security level to "High."

Only IE 6 is affected by the problem. In his report, Klein said Mozilla fixed a similar security flaw in Firefox with the release of version 1.0.7.

Add a Comment (7 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By jordenpro

posted Oct 3, 2005 - 1:12 PM

Stop crying, for the +94% users that use IE, you can expect to see numerous exploits released on Internet Explorer. Sure Firefox is more secure, that's because a majority of hackers aren't focusing on the 6% that use Firefox. Also, firefox is open source, so if a hacker did discover a major exploit and didn't submit it to Mozilla, well they have nice way to control Mozilla users.

My point is, for a hacker is easier to discovery exploits on Mozilla than IE, being that Mozilla is open source. You have to ask yourself, do you trust Microsoft ? or the community involved in protecting Mozilla?

I use both for different reasons. So I don't bother crying over which is more secure for what.

Score: 0

By jmccardl

posted Oct 2, 2005 - 1:59 PM

I think it is an absolute disgrace how so many of Microsoft's products have really serious flaws such as a simple buffer overflow or html errors that can cause errant programs to cause havoc. There must be many programmers at MS, who have been hackers (in their youth)in the past who should be beta testing these bugs.
Young minds see a different perspective and have a totally different way of seeing solutions so maybe MS should run competitions, using these youngsters, to see how to crash their software, and then rectify the problems before releasing it to the general public.

I guess we are lucky that they do not produce automobiles, Just imagine how many would have been killed due to system failures. We would have a world wide govt backlash.

Score: 0

By robmanic44

posted Oct 1, 2005 - 2:05 PM

I wonder how many people are using IE6 on its own? With such programs as Wichio, SecureIE, Netcaptor, and Maxthon around, I think a lot of people aren't using it as a standalone browser. I would think these browsers would have some impact on the security of IE6. That's why they are being used.

Score: 0

By John_Bedin

posted Sep 30, 2005 - 10:16 AM

MONOPOLISTIC MICROSOFT FLAWED AGAIN.WHEN ARE THEY GOING TO PERFECT ANYTHING.? VISTA ? GOD HELP US POOR CONSUMERS. I CRINGE AT THE THOUGHT OF DOWNLOADING SERVICE PACK AFTER SERVICE PACK. IE7 ? HOW MANY FIREWALLS WILL WE NEED TO PROTECT US ? MODERATELY CRITICAL ? .THAT IS AN OXYMORON TO THE MAX.I CANNOT BELIEVE THESE COMPUTER GEEKS WHO HIDE BEHIND NOM DE PLUME DIGESTING AND DISCUSSING SUCH SCURRILOUS INANITIES.MICROSOFT IS THE DARK SIDE. APPLE WILL PREVAIL, IF THE UNIVERSE UNFOLDS AS IT SHOULD.

Score: 0

By beta_animal

posted Sep 29, 2005 - 5:51 PM

"Microsoft Investigating New IE Flaw"

Uh... So what's new?

Score: 0

By itanshi

posted Sep 29, 2005 - 4:51 PM

hehehe this so cracked me up, google inticing hackers to break IE through their code :-P nah of course not hehe. I know better ^^

Score: 0

By ghoste

edited Sep 29, 2005 - 11:46 PM

[x=1]
[do while x[<]999]

response.write "microsoft wins[br]"

[x=x+1]
[loop]

Score: 0

Dec 5 - 1:45 AM ET Shazam: eight million songs of the eternal Now

Dec 4 - 7:30 PM ET Comcast to offer bandwidth consumption monitor

Dec 4 - 5:37 PM ET Counterfeiters sing the 'Blue' as Microsoft lawyers up

Dec 4 - 4:40 PM ET Opera 10 alpha shows off new Presto rendering engine

Dec 4 - 2:29 PM ET Apple: Psystar clone-maker is working with unnamed collaborators

Dec 4 - 2:21 PM ET Windows Live rollout sketchy, team apologizes

Dec 4 - 2:20 PM ET Stinging from a revenue shortfall, Adobe to shed workers

Dec 4 - 11:47 AM ET The storm hits AT&T, with a five-digit headcount reduction

Dec 4 - 11:42 AM ET TV sports adopts Web coverage, plays with iPhones

Dec 4 - 11:24 AM ET Microsoft seeks 'community' help to make IE8 Standards Mode work out