Two More IE Holes SurfaceBy Ryan Naraine | Posted 2004-11-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Updated: Security researchers find new bugs in the widely deployed Web browser; users' fully patched Windows XP SP2 machines are at risk.
Security researchers are warning of another pair of vulnerabilities in Microsoft Corp.'s Internet Explorer browser affecting users on fully patched Windows XP Service Pack 2 systems.
According to an alert from Secunia that carries a "moderately critical" rating, the holes can be exploited to bypass a security feature in XP SP2 and trick users into downloading malicious files.
The company said a bug was flagged in the SP2 security feature that warns users when opening downloaded files of certain types. "The problem is that if the downloaded file was sent with a specially crafted 'Content-Location' HTTP header in some situations, then no security warning will be given to the user when the file is opened," Secunia said.
It's not known if that flaw is related to a similar warning issued by Finjan Software earlier this week.
Finjan claims it discovered a bug in the SP2 notification mechanism and has already proven to Microsoft that hackers can bypass the mechanism to inject arbitrary code without any warning or notification.
Microsoft has disputed the severity of Finjan's claims, insisting they are "potentially misleading and possibly erroneous." The software giant said it will continue investigating Finjan's claims to confirm valid vulnerability claims before rolling out possible fixes.
The research outfit also said a combination of the two flaws could be exploited by an attacker to trick a user into downloading a malicious executable file pretending to be an HTML document.
"The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2," the company said, recommending that IE users disable Active Scripting support and the "Hide extension for known file types" option.
A Microsoft spokeswoman said the company was aware of the Secunia listing. "We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," she said.
Microsoft also criticised the public disclosure of the flaw information before a patch could be created, tested and deployed.
Separately, Microsoft re-released its MS04-039 security bulletin to correct some issues affecting customers using ISA Server 2000 Service Pack 1 or Windows 2000 Service Pack 3.
That patch was issued earlier this month to fix a content spoofing vulnerability in ISA Server 2000 and Proxy Server 2.0.
Editor's Note: This story was updated to include information and comments from Microsoft.
Check out eWEEK.com's for the latest security news, reviews and analysis.