Patch addresses new Internet Explorer flaw

Microsoft released a cumulative patch for Internet Explorer 5.5 and 6.0 that fixes a flaw in the Web browser that could allow an outsider to read any file on a vulnerable system.

Microsoft has released a patch for a flaw in Internet Explorer that allows attackers to read files on affected systems.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Microsoft IIS flaw critical in theory, exploit impractical"

SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

Best Web Links on protecting your Microsoft products and platforms


Feedback on this story? Send your comments to News Writer Edward Hurley

The vulnerability has to do with how Internet Explorer uses particular object-caching techniques when rendering Web pages. This could allow an attacker to use a malicious Web site to access information from another domain, including the user's local system, Microsoft said in an advisory.

Microsoft has released a cumulative patch for Internet Explorer 5.5 and 6.0 that addresses the vulnerability. Internet Explorer 5.01 does not have the flaw.

Exploiting the vulnerability requires attackers to set up a Web page that uses a cached programming technique. The page can then be hosted on a Web server or sent in an e-mail message.

With the Web-based attack, an affected user would only need to visit the bogus Web page for the vulnerability to be exploited. This type of attack is fairly limited because getting people to visit a particular site can be difficult.

E-mail-based attacks would require the recipient to open the message or view it through the preview pane. Yet Outlook Express 6.0 and Outlook 2002 would block the e-mail in their default configurations. Outlook 98 and 2000 would also block it if they had security updates installed.

The potential damage caused by the attack is limited. Attackers could exploit the vulnerability to read -- but not change –- any file on the user's system. Theoretically, they could also run any executable already on the infected system, but they would need to know the exact location of the executable and would not be able to pass parameters to it.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close