Article

Details of IE flaws disclosed to security lists

Edward Hurley, SearchSecurity.com News Writer

Microsoft is investigating reports of several vulnerabilities in Internet Explorer, which were reported to security mailing lists last week.

So far, the software giant hasn't released any patches or updates for the flaws, though a company spokesman told the news agency Reuters that it is examining the reports.

It appears that a researcher from China named Liu Die Yu found the flaws but didn't report them to Microsoft before posting details to the lists. Generally, security researchers report flaws they find to the vendor in question before making the details public, so the vendor can create the necessary patches and updates before hackers can create exploit code or a worm.

Late last week, the researcher posted details of a six-step cache attack that would compromise affected systems just by having unsuspecting victims view a Web page.

So far, the vulnerabilities appear to affect only

    Requires Free Membership to View

Internet Explorer 6, but other versions may be vulnerable, according to an advisory from Danish security service provider Secunia, which labeled the flaws "extremely critical." When exploited together, the flaws could allow remote attackers to compromise systems.

The flaws involve redirecting the browser. For example, one flaw in the URL handler would bypass a security check usually done by Internet Explorer.

As there are no patches available, Secunia recommends that users disable Active Scripting as a workaround.

FEEDBACK: Should the researcher have disclosed details of the latest flaws in IE to Microsoft before posting them to a security mailing list?
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: