Two New IE Flaws Discovered

Security researchers have discovered two new flaws in Internet Explorer. While proof of concept code is available for both, there are no known exploits of either flaw.

The first involves a cross-site scripting issue where an attacker could view information in an open browser window from another that is visiting a malicious site. However, researchers called the issue less serious than the other flaw, saying it requires user interaction, and sensitive data in other browser windows.

"Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs," Bojan Zdrnja of the SANS Internet Storm Center said on the company's Web site.

Adrian Stone at the Microsoft Security Research Center confirmed that the company was looking into the issue. "So far we're not aware of any attacks attempting to use vulnerability or any customer impact, but we wanted to let everyone know we're investigating," he said.

At one time, the above flaw was thought to affect Mozilla Firefox as well, however further testing by SANS found that is not the case. Additionally, the group found that Internet Explorer 7 is also immune to the vulnerability.

A second more serious flaw involves how HTA applications are handled. A user could be tricked into opening a malicious file, which in turn could execute code. The file would need to be accessed through SMB or WebDAV in order for the issue to be exploited.

"The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon," Zdrnja said. "The workaround for this appears to be disabling active scripting."

Microsoft said it was investigating the HTA flaw as well.