Updated Friday, April 28, to include more details from Microsoft.
Two new Internet Explorer (IE) flaws have surfaced, less than 48 hours after another security hole came to light. Exploit code is available for the newest flaws, which attackers could use to download malicious ActiveX controls or view sensitive data.
The French Security Incident Response Team (FrSIRT) posted advisories for the latest vulnerabilities on its Web site Thursday. A Microsoft spokesman confirmed Thursday afternoon that the company has investigated the latest reports and determined both flaws would be difficult to exploit.
The first problem, discovered by vulnerability researcher Matthew Murphy, is a race condition that appears when security dialogs are displayed and processed; prompting a user to install and execute an ActiveX control.
Attackers could exploit this to "manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page," FrSIRT said. Attackers could then install or execute a malicious ActiveX control on the victim's machine.
FrSIRT said that a proof-of-concept exploit has been released but that the vulnerability doesn't affect machines running Windows XP Service Pack 2 (SP2) or Windows 2003 SP1.
The Microsoft spokesman said the company has concluded the vulnerability can't be used to execute code on a user's system "without multiple user actions that are uncommon in typical Web browsing scenarios." Due to the significant mitigating factors and the level of testing appropriate for the change, he added, "We have determined that the issue would be most appropriately addressed in a service pack delivery rather than a security update. Service packs receive a higher level of compatibility testing over security updates."
The second problem, discovered by a vulnerability researcher who goes by the online name Codedreamer, is an origin validation error that appears when "mhtml:" URL redirections are handled. Attackers could exploit this to read content and data served from another domain in the context of a malicious Web page, FrSIRT said, adding that fully functional exploit code has been released.
The vulnerability clearinghouse recommended users mitigate the second flaw by disabling active scripting in the Internet and Local Intranet security zones, though this may interfere with the functionality of certain Web sites.
Microsoft said its initial investigation of this flaw indicates the most likely impact is potential information disclosure that would require user interaction.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," he said.
Tuesday, another flaw was reported by vulnerability researcher Michal Zalewski, whose analysis was posted on the Full-Disclosure electronic mailing list hosted and sponsored by Danish vulnerability watcher Secunia.
That flaw is caused by an error in how certain sequences of nested "object" HTML tags are processed. Attackers could exploit it to launch malicious code and corrupt system memory.
The software giant's last big fix for IE was on April 11.