Get Smart about Business Spending
- Related Stories
-
Firefox update squashes security bugs
July 12, 2005 -
A safe browser? No longer in the lexicon
July 7, 2005 -
Microsoft warns of unpatched IE flaw
July 1, 2005
Michal Zalewski, a security consultant and author, said he has found a number of possible flaws in the way the Web browser software handles JPEG images. Zalewski said that one of the flaws could be exploited for remote arbitrary code execution, a type of attack that is generally categorized as "critical" by security vendors.
Four proof-of-concept images that aim to exploit these flaws have been posted on the Web by Zalewski. Each of these has the potential to crash IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2. Previous versions of IE may also be affected, according to a SecurityFocus posting. Two of the exploit images also cause memory and CPU problems.
Zalewski said he did not report this bug to Microsoft before publishing it, due to the problems he claims to have experienced with the software giant's bug-reporting process.
"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice," said Zalewski in a posting on security site Neophasis.
"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a representative for the software maker said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."
Earlier this week, another image-processing security vulnerability that affected both IE and MSN Messenger surfaced. That bug was caused by a flaw in the way the applications handle International Color Consortium Profiles, but that problem was fixed by Microsoft in its last set of patches.
More information on the flaws can be found on the SecurityFocus Web site, under bug number 14282 and 14284.
Ingrid Marson of ZDNet UK reported from London.
See more CNET content tagged:
SecurityFocus, flaw, security consultant, Microsoft Internet Explorer, Microsoft Internet Explorer 6
As for Opera, I love this browsers functionality, it's the best. But if it were popular enough to attract hackers I think it would fare far worse then FF and IE. And for that mater, if the browser market share were reversed with FireFox having 90% of the market it would have 10 times more bugs then IE because hackers(I'm sure they're pissed off Microsoft Devs) are barely creating exploits for it.
- Windowzers taken for a ride! AGAIN!
- by July 21, 2005 9:57 PM PDT
- You folks that continue to pay Bill for the trash heaps he spews
- Like this Reply to this comment
-
-
- All of the above
- by Andrew J Glina July 21, 2005 10:21 PM PDT
- All those reasons you mentioned (user friendliness, security, ease of use, stability and the total cost of ownership) work for me. But don't worry; I am sure that you have conviced someone to try Linux with your comment. But not me because I already have this year and it still sux. Again.
- Like this View reply
Processing -
(8 Comments)from REDmond make me laugh. What makes someone put up with
such c r a p? It can't be the user friendliness, security, ease of use,
stability or the total cost of ownership. So what is it?
I guess if everyone switched to OS X or Linux then we wouldn't
have trash like Windoze to make us look so good.
Incidently, what do you mean by "continue to pay"? I paid for Win2K once five years ago and I still love it. Do you lease your software or is it so bad that you are itching for the latest upgrade that oozes out?
Buy a Dell dude and leave Windows on it too.