Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Two New IE Flaws Discovered

By Ed Oswald, BetaNews

June 30, 2006, 1:30 PM

Security researchers have discovered two new flaws in Internet Explorer. While proof of concept code is available for both, there are no known exploits of either flaw.

The first involves a cross-site scripting issue where an attacker could view information in an open browser window from another that is visiting a malicious site. However, researchers called the issue less serious than the other flaw, saying it requires user interaction, and sensitive data in other browser windows.

"Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs," Bojan Zdrnja of the SANS Internet Storm Center said on the company's Web site.

Adrian Stone at the Microsoft Security Research Center confirmed that the company was looking into the issue. "So far we're not aware of any attacks attempting to use vulnerability or any customer impact, but we wanted to let everyone know we're investigating," he said.

At one time, the above flaw was thought to affect Mozilla Firefox as well, however further testing by SANS found that is not the case. Additionally, the group found that Internet Explorer 7 is also immune to the vulnerability.

A second more serious flaw involves how HTA applications are handled. A user could be tricked into opening a malicious file, which in turn could execute code. The file would need to be accessed through SMB or WebDAV in order for the issue to be exploited.

"The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon," Zdrnja said. "The workaround for this appears to be disabling active scripting."

Microsoft said it was investigating the HTA flaw as well.

Add a Comment (34 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By CMNetworx

edited Jan 8, 2007 - 2:06 AM

"Why should MS be obligated to fix anything we've already paid for?"

Hah, Your kidding me right? If you bought a new car and the air conditioner worked 1/3 of the time, or the brakes randomly stopped working until you shut of the engine and started it back up, You wouldn't take that car back to the dealership to get it fixed?? Auto manufacturers have Recalls to defective products, just like Microsoft has updates for bugs, or exploits..

Score: 0

By Andersinhosa

edited Jul 5, 2006 - 10:47 AM

AMUST 1-Defender
(http://amustsoft.com/1-defender/)
Great utility that allows to reduce or eliminate the risks by allowing you to run Internet Explorer in SafeBrowse™ Mode, which limits the Internet Explorer and restricts it from performing all operations that may significantly impact your system. Moreover, it gives user a luxury of choice how to run IE (protected or not) for a given task.

Score: 0

By mjm01010101

posted Jul 6, 2006 - 5:44 AM

Seriously: Why bother? I mean, there are other browsers out there with reduced or minimal threats. Anyone still using IE is getting what they deserve.

Score: 0

By frankwick

posted Jul 5, 2006 - 10:06 AM

Why should MS be obligated to fix anything we've already paid for? The fact that they do respond and release fixes is a good step for the evil empire. I'm a FF user, but IE7 does look very nice. IE7 borrows tabs from FF, but beta 3 seems faster.

Score: 0

By BadIronTree

posted Jul 4, 2006 - 4:46 AM

no way!

Score: 0

By bastion

posted Jul 3, 2006 - 10:53 PM

If the hundreds of thousands of hackers turned their attention to firefox, opera or any other browser instead of IE, then those other browsers would have faults found as well. IE is a target by so many they have more FOUND faults.

Score: 0

By Noremacam

posted Jul 4, 2006 - 12:27 AM

Exactly why I use firefox - "IE is a target by so many"

Score: 0

By compm375

posted Jul 4, 2006 - 12:27 AM

So what? As a Firefox user, why should I care why it is more secure than IE? As long as it is, I will keep using it. If it becomes less secure, because of an increase in users or for any reason, I can reevaluate my decision and use something else.

Score: 0

By bbetauser

edited Jul 3, 2006 - 1:55 PM

FIREFOX FIREFOX FIREFOX!!!

http://www.infoblog.us/2...nues-to-make-gains.html

Score: 0

By school1012

posted Jul 3, 2006 - 4:41 PM

This issue is not affected in IE7

Score: 0

By THZGryphon

posted Jul 3, 2006 - 3:14 PM

sux

Score: 0

By Babylon2x

posted Jul 3, 2006 - 3:04 PM

OPERA OPERA OPERA!!!

http://www.opera.com

Well what do you know, I can make a pointless comment too ;)

Score: 0

By Skyfrog

posted Jul 4, 2006 - 2:22 PM

LYNX LYNX LYNX!!!

http://lynx.browser.org/

Score: 0

By PC_Tool

posted Jul 5, 2006 - 10:40 AM

OFF BY ONE!! OFF BY ONE!! OFF BY ONE!!!

Me too!

http://offbyone.com/offbyone/

Best.

Browser.

Evah! ;)

Score: 0

By Calwardman

edited Jul 3, 2006 - 7:17 AM

Microsoft's IE has always had flaws and always will. I took a test drive of IE 7. It is not user friendly and is just as slow as 6
Personally I like firefox and the old netscape for surfing the web.

Score: 0

By xyzcb1

posted Jul 3, 2006 - 11:11 AM

IE slow? in term of what? How is IE 7 not user friendly?

I am a FF user too, and I think FF is slower than IE, but I like FF because it's safer than IE and I customize it with extensions the way I like.

Score: 0

By eclipsingdivinity

posted Jul 3, 2006 - 1:56 PM

Rendering wise, IE is a bit faster. But then again, if you put into account the lack of adblock for IE, I find Firefox loading my content to be much faster.

And Firefox is faster than IE7 in terms of tabs, program navigation etc. It's just more responsive. IE7 beta 3 made some progress in that area though. We'll see.

Score: 0

By Noremacam

posted Jul 3, 2006 - 1:09 PM

I think IE 7 appears un-user friendly because they rearranged the program in so much a way that it will initially alienate current IE 6 users.

There are other non-user friendly aspects to the program. When you press ctrl+t to create a new tab, it doesn't focus the keyboard in the address bar, thus taking away the point of using a keyboard shortcut to save time. (This will probably be fixed in the final version though). Also, you can't hide the tab bar when there's only one tab open. They try to make it more useful by adding other buttons to that bar as well, but to me, it still feels like it's wasting space.

As for speed - I've always considered it a non-issue. Maybe that's because my computer itself is fast enough to make any difference negligable? This is so much so that I forget, when trying to quote a fact, which browser is supposively the fastest.

Score: 0

By taulin

posted Jul 4, 2006 - 4:47 AM

i have to agree with taht adding buttons to the tab bar comment, i havent tried IE7 but from then screenshots ive seen the tab bar looks really cramped, and really large too (though i assume you can change that by choosing small icons or something)

with firefox, and my resolution, i can have 9 or more tabs open and see enough of the titles to know what each one is, why need thumbnail? useless gimmik

Score: 0

By GimieGimieGimie

edited Jul 4, 2006 - 8:50 AM

Actually, thumbnail viewing comes in pretty handy dumba**. Just because you have no use for it, doesn't mean it ain't useful. Don't make destructive comments that could put off users from wanting to experiment with a new feature just because *you* find no use for it (you just branded it a useless gimmick without even giving good reasons). For your information, the feature helps to expand multiple tab browing experience.

Score: 0

By RPDP

posted Jul 3, 2006 - 4:19 AM

Every software will have some flaws. What matters is when it is found and how quick its being fixed. Hope M$ will soon have a patch for it.

Score: 0

By hugh750

edited Jul 2, 2006 - 5:22 PM

That's nothing new at all about internet explorer, They're alway finding flaws in it.

Score: 0

By frankwick

posted Jun 30, 2006 - 2:22 PM

IE6 is years old. Of course they are going to find holes. MS needs to push IE7 out the door soon.

Score: 0

By joeshmoe7

posted Jul 1, 2006 - 12:05 PM

Yes because, no one will find holes in IE7 - it will be perfect!

Score: 0

By Metshrine

edited Jul 1, 2006 - 12:18 PM

Much like was thought of firefox huh? We saw how quickly they extinguished that candle.

Score: 0

By neoLeech

posted Jul 2, 2006 - 3:48 PM

funny
firefox:
http://secunia.com/product/4227/
Currently, 4 out of 33 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Internet Explorer:
http://secunia.com/product/11/
Currently, 20 out of 104 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Score: 0

By Metshrine

posted Jul 2, 2006 - 9:01 PM

And does exploit code exist for any of the IE ones just like the firefox ones? No, so these arent serious. No reports of anyone affected, no damage done. So, your point?

Score: 0

By The MAZZTer

posted Jul 3, 2006 - 3:21 PM

Point: Firefox has only been out for one or two years. IE has been out for YEARS AND YEARS.

Firefox SHOULD logically have more exploits because IE has had more time to be patched...

... but instead a repeatedly patched IE has far more holes than a newer, less tried and tested browser.

Score: 0

By Metshrine

posted Jul 4, 2006 - 12:37 PM

Dont forget LESS USED

Score: 0

By school1012

posted Jul 3, 2006 - 9:23 PM

Percentage wise in the same time period FF has more issues then IE does

Score: 0

By Bobbitchin

edited Jun 30, 2006 - 2:17 PM

Only two?

Thats a pretty good week for Microsoft.

Score: 0

By womfalcs7

posted Jun 30, 2006 - 5:01 PM

Yeah, but they have 20 unpatched. Besides, a huge huge portion of users in the world don't have a genuine version of Windows XP. They won't be able to upgrade to IE7.

Score: 0

By Metshrine

posted Jul 1, 2006 - 11:40 AM

and obviously those 20 unpatched holes arent very serious otherwise code would exist to exploit them.

Score: 0

By Intrusive_Rogue

posted Jun 30, 2006 - 2:01 PM

Beta Software +1
Hackers 0

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal