Article

Patch addresses new Internet Explorer flaw

Edward Hurley, News Writer

Microsoft has released a patch for a flaw in Internet Explorer that allows attackers to read files on affected systems.

FOR MORE INFORMATION:

    Requires Free Membership to View

SearchSecurity.com news exclusive: "Microsoft IIS flaw critical in theory, exploit impractical"

SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

Best Web Links on protecting your Microsoft products and platforms


Feedback on this story? Send your comments to News Writer Edward Hurley

The vulnerability has to do with how Internet Explorer uses particular object-caching techniques when rendering Web pages. This could allow an attacker to use a malicious Web site to access information from another domain, including the user's local system, Microsoft said in an advisory.

Microsoft has released a cumulative patch for Internet Explorer 5.5 and 6.0 that addresses the vulnerability. Internet Explorer 5.01 does not have the flaw.

Exploiting the vulnerability requires attackers to set up a Web page that uses a cached programming technique. The page can then be hosted on a Web server or sent in an e-mail message.

With the Web-based attack, an affected user would only need to visit the bogus Web page for the vulnerability to be exploited. This type of attack is fairly limited because getting people to visit a particular site can be difficult.

E-mail-based attacks would require the recipient to open the message or view it through the preview pane. Yet Outlook Express 6.0 and Outlook 2002 would block the e-mail in their default configurations. Outlook 98 and 2000 would also block it if they had security updates installed.

The potential damage caused by the attack is limited. Attackers could exploit the vulnerability to read -- but not change –- any file on the user's system. Theoretically, they could also run any executable already on the infected system, but they would need to know the exact location of the executable and would not be able to pass parameters to it.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: