Article

Microsoft investigates reported IE flaws

Staff report

Attackers could use newly discovered flaws in Internet Explorer to launch malicious code and spoof dialog boxes, two security firms warned. The first problem, reported by Vienna-based SEC Consult, is that IE doesn't properly handle instantiation

    Requires Free Membership to View

of non-ActiveX COM objects from Web pages. The advisory said, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. In one case, we could leverage this bug to overwrite a function pointer in the data segment. It may be possible to exploit this issue to execute arbitrary code in the context of IE."

The Bethesda, Md.-based SANS Internet Storm Center said, "The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser."

Danish security firm Secunia reported a second problem malicious Web sites could exploit to spoof dialog boxes. "The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open a prompt dialog box, which appears to be from a trusted site." However, Secunia added, "Successful exploitation normally requires that a user is tricked into opening a link from a malicious Web site to a trusted Web site."

Secunia developed a test users can run to see if their browser is affected. The firm confirmed the flaw in a fully updated version 6.0 and recommends users avoid untrusted Web sites while browsing trusted sites.

Microsoft confirmed it is investigating the reports. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing additional mitigation guidance through this security advisory, and if appropriate, a security update through our monthly release process or an out-of-cycle security update, depending on the results of the investigation," the software giant said in a statement.

At this point, Microsoft said, "We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report."

This article originally appeared on SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: