News Stay informed about the latest enterprise technology news and product updates.

Patch addresses new Internet Explorer flaw

Microsoft released a cumulative patch for Internet Explorer 5.5 and 6.0 that fixes a flaw in the Web browser that could allow an outsider to read any file on a vulnerable system.

Microsoft has released a patch for a flaw in Internet Explorer that allows attackers to read files on affected...


FOR MORE INFORMATION: news exclusive: "Microsoft IIS flaw critical in theory, exploit impractical" news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

Best Web Links on protecting your Microsoft products and platforms

Feedback on this story? Send your comments to News Writer Edward Hurley

The vulnerability has to do with how Internet Explorer uses particular object-caching techniques when rendering Web pages. This could allow an attacker to use a malicious Web site to access information from another domain, including the user's local system, Microsoft said in an advisory.

Microsoft has released a cumulative patch for Internet Explorer 5.5 and 6.0 that addresses the vulnerability. Internet Explorer 5.01 does not have the flaw.

Exploiting the vulnerability requires attackers to set up a Web page that uses a cached programming technique. The page can then be hosted on a Web server or sent in an e-mail message.

With the Web-based attack, an affected user would only need to visit the bogus Web page for the vulnerability to be exploited. This type of attack is fairly limited because getting people to visit a particular site can be difficult.

E-mail-based attacks would require the recipient to open the message or view it through the preview pane. Yet Outlook Express 6.0 and Outlook 2002 would block the e-mail in their default configurations. Outlook 98 and 2000 would also block it if they had security updates installed.

The potential damage caused by the attack is limited. Attackers could exploit the vulnerability to read -- but not change –- any file on the user's system. Theoretically, they could also run any executable already on the infected system, but they would need to know the exact location of the executable and would not be able to pass parameters to it.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.