Internet Explorer users should stay away from unfamiliar File Transfer Protocol (FTP) servers to avoid potential attacks by way of a new vulnerability in the popular browser, security experts say.
According to an advisory from Danish security
"The vulnerability is caused due to an input validation error in the handling of FTP file transfers," Secunia said. "This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files."
The group said it confirmed the vulnerability on a fully patched system with Internet Explorer 6 and Microsoft Windows 2000 SP4/XP SP1. Systems running Windows XP with SP2 are not affected.
Until the problem is fixed, Secunia recommends users avoid downloading files from untrusted FTP servers.
FTP, a standard Internet protocol, is the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP uses the Internet's TCP/IP protocols. It is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers.
Puigsech's full findings are available here. He did not respond to a request for additional information at the time of writing.
This vulnerability is different from four others confirmed last week, a Microsoft spokeswoman said by e-mail. She also confirmed the software giant is looking into the new Internet Explorer flaw.
"Upon completion of this investigation, Microsoft will take the appropriate actions to protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," she said. "Our early investigation indicates that this vulnerability requires significant user interaction and user interface steps to occur before any malicious code could be executed. Windows XP SP2 is not affected by this vulnerability."
She added, "At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerability, and there is no customer impact based on this issue."