June 29, 2006 3:14 PM PDT

Browser bugs hit IE

Two new security flaws have been discovered in Microsoft's Internet Explorer, security experts have warned.

Code for both the vulnerabilities has been published, but there have been no reports of attacks taking advantage of the flaws, the SANS Internet Storm Center, which monitors network threats, said in an advisory released Wednesday.

SANS initially reported that one of the flaws also affected Mozilla's Firefox Web browser, but on Friday it said in an updated advisory that it had determined, after further research, that Firefox was not affected by it.

The first issue is related to the handling of a technology that is used to access documents delivered from one Web site to another, according to the advisory.

Attackers could exploit the IE flaw using cross-site scripting, said Monty Ijzerman, senior manager of McAfee's Global Threat Group. That technique enables hackers to view the contents of one open browser from a second browser open on the user's system. The attackers, as a result, could swipe sensitive information, such as online banking data, from one of the sites showing.

"We consider this flaw less serious than the other IE flaw," Ijzerman said. "A user would have to have multiple browsers open, and the information on the site would have to be relevant to what the attacker wanted."

The second security hole is related to the way HTA applications are processed. (This flaw is the one that SANS at first thought also existed in Firefox.)

A PC user could be tricked into double-clicking on a malicious file and remote code could be executed, Ijzerman said. An attacker could exploit the vulnerability to read files on a system or to install rootkits, which make system changes to hide another piece of possibly malicious software.

The two IE security flaws come as Microsoft releases its final beta version of IE 7, which is designed to offer more security features. SANS said Friday that IE7 does not have the security holes.

Microsoft said it is investigating the issues and has yet to hear of any attackers exploiting the reported vulnerabilities.

CNET News.com's Caroline McCarthy contributed to this story.

See more CNET content tagged:
attacker, flaw, advisory, Microsoft Internet Explorer, vulnerability


Join the conversation!
Add your comment
I use Opera for most browsing
Like many others, I also keep IE6, FireFox and Netscape on my PC, but I find myself using Opera for most of my browsing. So far, so good. No bugs.
Posted by Des Alba (68 comments )
Reply Link Flag
@c|net Advisory updated, Firefox not affected.
The SANS Advisory has been updated ( <a class="jive-link-external" href="http://isc.sans.org/diary.php?storyid=1448" target="_newWindow">http://isc.sans.org/diary.php?storyid=1448</a> ) and now says that Firefox isn't affected at all, since it lacks the OuterHTML property.
Posted by hansschmucker (4 comments )
Reply Link Flag
Opera & Firefox -- cure to IE problems
That's why you use Firefox and you don't have to worry about new bugs every hour. I know Microsoft's IE is targeted and they do everything they can but they don't take action quick enough. Firefox does it very quick and I don't know about Opera--as not as many people use it as FF but probably faster than IE bugs are fixed.
Posted by pentium4forever (192 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.