Two More IE Holes Surface

Security researchers are warning of another pair of vulnerabilities in Microsoft Corp.’s Internet Explorer browser affecting users on fully patched Windows XP Service Pack 2 systems.

According to an alert from Secunia that carries a “moderately critical” rating, the holes can be exploited to bypass a security feature in XP SP2 and trick users into downloading malicious files.

Read here why Peter Coffee says IE flaws should come as no surprise.

The company said a bug was flagged in the SP2 security feature that warns users when opening downloaded files of certain types. “The problem is that if the downloaded file was sent with a specially crafted ‘Content-Location’ HTTP header in some situations, then no security warning will be given to the user when the file is opened,” Secunia said.

It’s not known if that flaw is related to a similar warning issued by Finjan Software earlier this week.

Finjan claims it discovered a bug in the SP2 notification mechanism and has already proven to Microsoft that hackers can bypass the mechanism to inject arbitrary code without any warning or notification.

Microsoft has disputed the severity of Finjan’s claims, insisting they are “potentially misleading and possibly erroneous.” The software giant said it will continue investigating Finjan’s claims to confirm valid vulnerability claims before rolling out possible fixes.

Secunia is also warning of another IE bug that causes an error when using a Javascript function. That vulnerability can be exploited to spoof the file extension in the “Save HTML Document” dialog.

The research outfit also said a combination of the two flaws could be exploited by an attacker to trick a user into downloading a malicious executable file pretending to be an HTML document.

“The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2,” the company said, recommending that IE users disable Active Scripting support and the “Hide extension for known file types” option.

A Microsoft spokeswoman said the company was aware of the Secunia listing. “We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports,” she said.

Microsoft also criticised the public disclosure of the flaw information before a patch could be created, tested and deployed.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

Separately, Microsoft re-released its MS04-039 security bulletin to correct some issues affecting customers using ISA Server 2000 Service Pack 1 or Windows 2000 Service Pack 3.

That patch was issued earlier this month to fix a content spoofing vulnerability in ISA Server 2000 and Proxy Server 2.0.

Editor’s Note: This story was updated to include information and comments from Microsoft.

Check out eWEEK.com’s for the latest security news, reviews and analysis.