Microsoft investigates reported IE flaws

Microsoft tells its users that it is aware of a flaw in IE that could allow attacks and is working to fix the problem.

Attackers could use newly discovered flaws in Internet Explorer to launch malicious code and spoof dialog boxes, two security firms warned. The first problem, reported by Vienna-based SEC Consult, is that IE doesn't properly handle instantiation of non-ActiveX COM objects from Web pages. The advisory said, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. In one case, we could...

leverage this bug to overwrite a function pointer in the data segment. It may be possible to exploit this issue to execute arbitrary code in the context of IE."

The Bethesda, Md.-based SANS Internet Storm Center said, "The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser."

Danish security firm Secunia reported a second problem malicious Web sites could exploit to spoof dialog boxes. "The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open a prompt dialog box, which appears to be from a trusted site." However, Secunia added, "Successful exploitation normally requires that a user is tricked into opening a link from a malicious Web site to a trusted Web site."

Secunia developed a test users can run to see if their browser is affected. The firm confirmed the flaw in a fully updated version 6.0 and recommends users avoid untrusted Web sites while browsing trusted sites.

Microsoft confirmed it is investigating the reports. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing additional mitigation guidance through this security advisory, and if appropriate, a security update through our monthly release process or an out-of-cycle security update, depending on the results of the investigation," the software giant said in a statement.

At this point, Microsoft said, "We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report."

This article originally appeared on SearchSecurity.com.

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close