Print this article  |  E-mail this article  |  Comment on this article

New Security Flaw Discovered in IE

By Ed Oswald, BetaNews

September 16, 2005, 11:45 AM

Security firm eEye released a notice on Thursday saying it had discovered a new flaw within Internet Explorer on both Windows XP and XP SP2. According to the notice, "A vulnerability in default installations of the affected software could allow for remote code execution."

Windows XP SP2 was touted as a much more secure version of Microsoft's flagship operating system. However, hackers have still found ways around the new security features, and flaws continue to pop up. Microsoft has been alerted to the problem, but as standard practice eEye will not release details of the vulnerability until it is patched or publicly acknowledged by Microsoft.

Add a Comment (26 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By xoineg

edited Sep 19, 2005 - 12:40 PM

is this news? or just the weekly list of flaws? :P

Important System Message ==> Browser used to view and enter this message = FIREFOX :P

Score: 0

By TheBeastH6

posted Sep 19, 2005 - 11:57 AM

Microsoft Sam is repairing your internet code deficiencies nowwwwwww.

Score: 0

By ThePain

posted Sep 18, 2005 - 12:37 PM

Is two greater than five?

http://yahoolian.dyndns..../firefox-vs-ie-security

Score: 0

By hugh750

posted Sep 17, 2005 - 3:29 PM

What Else Is New.

Score: 0

By netwiz562

edited Sep 17, 2005 - 12:53 AM

edit: repeat of someone elses quote

Score: 0

By wat0114

posted Sep 16, 2005 - 5:30 PM

*sigh*...MS will fix it, but will this ever end? It's the same bloody thing over and over again; remote code execution. Of course, there's some sniveling, overweight, snot-nose punkass loser ready to exploit it at the drop of a hat. For all you crackers out there, @#&% you! You ought to be disgusted with yourselves. Where in Sam hell is your consience!? Anyways, I digress and must keep my emotions in check. After all, it's to be expected; we've been in the midst of a downward, spiralling out of control regression of humankind since around the late 80's. It's appropriately known as Devolution.

Score: 0

By Jacen

posted Sep 16, 2005 - 2:49 PM

Not a surprise.

Score: 0

By se7en11

posted Sep 16, 2005 - 12:08 PM

In other news, smoking is bad for you.

Patch for IE flaw:
http://www.mozilla.org/products/firefox/

Score: 0

By eunit

edited Sep 16, 2005 - 1:47 PM

didnt firefox just fix a flaw, ya they did

Score: 0

By sophist_dreams

posted Sep 17, 2005 - 5:50 PM

Yes, Firefox fixed a IDN flaw a few days after it was reported.......the key word is fixed, and in a timely manner.......Microspud will fix this some time around X-mas probably

Score: 0

By sophist_dreams

posted Sep 18, 2005 - 1:07 PM

They issued a new version of Firefox (1.0.7) that fixes the flaw.

Score: 0

By wincement

edited Sep 17, 2005 - 10:32 PM

Actually, it's just a work-around that disables the feature alogether for now. They're still working on a "fix."

That being said, they were quick to provide at least a temporary solution.

Score: 0

By Kramy

posted Sep 16, 2005 - 3:11 PM

Ahh, but it's a minor one, and FF isn't tightly tied into your OS.

Score: 0

By bourgeoisdude

posted Sep 16, 2005 - 5:45 PM

Well apparently "Extreemely Critical" meens "a minor one" when refering to FF...

Score: 0

By wincement

posted Sep 16, 2005 - 7:42 PM

lol. I was about to reply with the same comment.

Score: 0

By mjm01010101

posted Sep 17, 2005 - 2:20 AM

Have fun rebooting your entire infrastructure when MS releases it's next browser patch. There goes your uptime!

Score: 0

By fewt

posted Sep 17, 2005 - 6:55 AM

That's what clusters and load balancers are for. ;-)

Score: 0

By bourgeoisdude

edited Sep 16, 2005 - 12:07 PM

Yup. MS, you need to fix your existing patches and get one ready for this issue too...it would be very unwise at this point for MS to wait until next patch Tuesday, regardless of original plans, as yet another flaw is revealed.

Note to Ed Oswald: Based on the first two sentences in your last paragraph (which is irrelevant at this time BTW), it's safe to say you still have issues with MS. But with SP2 being over a year old now--get over it!!!

Score: 0

By sophist_dreams

posted Sep 18, 2005 - 1:09 PM

Considering that Microspud has cancelled "Patch Tuesdays" I dont think this is going to happen

Score: 0

By Dries

posted Sep 16, 2005 - 12:58 PM

"it would be very unwise at this point for MS to wait until next patch Tuesday"
after every patch tuesday, there is a hacks wednesday

Score: 0

By sn1p34

posted Sep 16, 2005 - 9:23 PM

Maybe you guys would be interested in reading this article I found on Slashdot.org.

prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"

Maybe you should stop bashing MS, and understand your browser is not perfect.... and nor is IE, thats life nobody's perfect, and none will every be so move on and stop whining.

Score: 0

By ThePain

edited Sep 17, 2005 - 12:44 AM

With the only difference that there is usually a fix for crititcal flaws available within 48Hours while MS sometimes takes up to 6 months to poorely avoid a flaw by simply removing a functionality (D&D exploit anyone?!) With the upcoming autoupdating capabilities of FF1.5 hotfixes _can_ be done in background without any user action. Oh and by the way, do you realy think that one could compare the numbers of NEWLY discoverd flaws of a AGED product to the ones of a totaly NEW one. Try adding all IE bugs since 6.0 (actually since 5.0 since there are some minor flaws that are still not fixed) and all FF bugs since 1.0, imho those numbers would be way more conclusive.

Score: 0

By AaronDobbins

posted Sep 18, 2005 - 10:52 PM

I am getting really tired of both of these arguments. FireFox users keep saying "fixes are quick" or "fixes come withing 48 hours" or "with it being open source the users fix it rapidly". The hassle is the same for users who have to constantly go out and get FF or IE fixes and install them. IE vs FF is like American politics; each side reads the same things and interprets them completely differently, and each side thinks the other is moronic. Use what you want to use and I'll use what I want to use.

I think it has already been shown that the higher the market share there is a sharp increase reported bugs and flaws, simply because the number of users is greater and more flaws are located. When FireFox first came out security flaws were unheard of, and everyone thought it was the IE killer because it was more secure. I'm sure with every release of FireFox there will be new flaws discovered and even more flaws that existed in older versions. This is what happens when you add new features and functionality.

Unless you are a programmer, and I mean a real programmer, not just a programmer at home, you really should not judge. It is extremely difficult to create bug free software when there are real deadlines and a budget. Couple those things, with the complexities and intricacies of coding an operating system or completely secure internet browser, and no one would be perfect.

As one previous poster pointed out, the problem is all of these idiots that sit in their parents basements drinking Mt. Dew, eating Ramen, chatting to their internet girlfriends (or boyfriends, since I don't want to be sexist haha) and hammering at software to find security flaws.

Score: 0

By netwiz562

posted Sep 17, 2005 - 12:59 AM

Thats not realistic either, 5.0/6.0 have been out wayy longer than FF 1.0. There is really no equivelent comparison as when IE 5.0 released, security was not the biggest concern and less vulnerabilities were found/fixed.

And actually FF has removed features as bugfixes or put advisories to do so a lot more often than MS has. The only time I can remember MS doing this is with the login in url issue (http://user:pass@host).

Maybe a fair way to do this would be compare all the critical bugs released only.

Oh and btw, fairness does not actually matter now that I think about it. Once FF got to 1.0, it was advertised for usage and as more secure, that means it should be. The question at hand is whether it is currently more secure, not whether after they have as much time as IE in the market they are secure.

Score: 0

By ghammer

edited Sep 18, 2005 - 11:29 AM

I agree.
Firefox and it's supporters claim to fame is "Security". I hold it to a higher standard for that reason and because, as the fans are prone to say, it is not tied to the OS, so fixes only need address the browser.
Still, slow or temp patches/workarounds are the case many times.

But, just where do I need to go to have all the 'problems' others find/report? I live in China, visit 'dangerous' sites, download and install lots of things.

I've yet to be hijacked, compromised. etc.

BTW- I use FF 1.06, didn't like I.E. 7 because of the lack of Adblock. Otherwise, I'd stick to IE.

Score: 0

By sn1p34

posted Sep 18, 2005 - 2:46 PM

ahh, but thats what Google toolbar, Maxathon and Avant are for.

Score: 0

Dec 5 - 1:45 AM ET Shazam: eight million songs of the eternal Now

Dec 4 - 7:30 PM ET Comcast to offer bandwidth consumption monitor

Dec 4 - 5:37 PM ET Counterfeiters sing the 'Blue' as Microsoft lawyers up

Dec 4 - 4:40 PM ET Opera 10 alpha shows off new Presto rendering engine

Dec 4 - 2:29 PM ET Apple: Psystar clone-maker is working with unnamed collaborators

Dec 4 - 2:21 PM ET Windows Live rollout sketchy, team apologizes

Dec 4 - 2:20 PM ET Stinging from a revenue shortfall, Adobe to shed workers

Dec 4 - 11:47 AM ET The storm hits AT&T, with a five-digit headcount reduction

Dec 4 - 11:42 AM ET TV sports adopts Web coverage, plays with iPhones

Dec 4 - 11:24 AM ET Microsoft seeks 'community' help to make IE8 Standards Mode work out