Details of IE flaws disclosed to security lists |
 |
By Edward Hurley, SearchSecurity.com News Writer
01 Dec 2003 | SearchSecurity.com |
|
|
Microsoft is investigating reports of several vulnerabilities in Internet Explorer, which were reported to security mailing lists last week.
So far, the software giant hasn't released any patches or updates for the flaws, though a company spokesman told the news agency Reuters that it is examining the reports.
It appears that a researcher from China named Liu Die Yu found the flaws but didn't report them to Microsoft before posting details to the lists. Generally, security researchers report flaws they find to the vendor in question before making the details public, so the vendor can create the necessary patches and updates before hackers can create exploit code or a worm.
Late last week, the researcher posted details of a six-step cache attack that would compromise affected systems just by having unsuspecting victims view a Web page.
So far, the vulnerabilities appear to affect only Internet Explorer 6, but other versions may be vulnerable, according to an advisory from Danish security service provider Secunia, which labeled the flaws "extremely critical." When exploited together, the flaws could allow remote attackers to compromise systems.
The flaws involve redirecting the browser. For example, one flaw in the URL handler would bypass a security check usually done by Internet Explorer.
As there are no patches available, Secunia recommends that users disable Active Scripting as a workaround.
FEEDBACK: Should the researcher have disclosed details of the latest flaws in IE to Microsoft before posting them to a security mailing list?
Send your feedback to the SearchSecurity.com news team.
|
