Another Internet Explorer flaw found

A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.

Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.

"They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."

This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.

Microsoft acknowledged the latest issue and said more fixes would be forthcoming.

"The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports."

The most recent flaw is not new--security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.

"Most exploits we are seeing developed today are composed of multiple vulnerabilities, (each one) bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."

Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.

Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.

Microsoft recommends that users go to the company's Protect Your PC site for the latest information.

I E 7.0

May be its time for Microsoft to check and fix the code of IE line by line, and then finally release I E 7.0

Perhaps, but...

Perhaps, but then again, maybe it's time to ditch IE in favor of something better and more secure.

[Kayle216]

The kicker of it all

IE is the only way you can use the Windows Update function to update a computer. How can we protect our PCs from the vulnerabilities, that Microsoft failed to fix before releasing any versions of Windows, without using a piece of software that is as big of a flaw that could have ever been made? Makes no sense to me. Mozilla is a stable browser and would love to be able to convert completely to it, but yet I can't because I have to use the security flaw proned IE to update my machine. Have been toying with the idea of switching to Linux 100%.

MSN Browser

You can use MSN Browser to update Windows and Office products.

Switching to other browsers not always possible

While experts may be recommending changing browsers, for some of us, it's just not an option. If you're blind, Internet Explorer is the only browser that works well with our speech software. I really wish somebody else would develop a browser and work with manufacturers of assistive technology to make it functional for us. I've had people recommend I drop IE, but I'd pretty much have to drop the Internet.

Brad (from Send My Friend to College

[garddog]

Linux for the handicapped

Linux has a lot of features to make the software available to the handicapped. I don't know how well they work though.

A client stopped by today with a M$XP computer trashed by virii. I tried to talk him into Linux, but he insisted that he HAD to run a certain game that had not yet been ported to Linux. I guess it runs OK on a M$ virii trashed computer!

Nevertheless, I have installed a dozen Linux Fedora Core 2 distributions over the last week at my Superwhamadyne Cyber Cafe.

Vulnerability Of IE

I'm using Windows XP and I get tons of popups. I switched the Opera and don't even close to as many cookies, spyware, and popups as I did when I had Internet Explorer. I find that most of the time webpages give me popups and misleading virus alerts. I hope that MIcrosoft comes out with a new browser.

Vulnerability Of IE

I'm using Windows XP and I get tons of popups. I switched to Opera and I don't even get close to as many cookies, spyware, and popups as I did when I had Internet Explorer. I find that most of the time webpages give me popups and misleading virus alerts. I hope that MIcrosoft comes out with a new browser.