June 30, 2004 10:04 AM PDT

Microsoft haunted by old IE security flaw

A security flaw that had been fixed in older versions of Microsoft Internet Explorer has reappeared in the latest version of the browser software.

Security company Secunia issued a bulletin warning of the flaw in versions 5.01, 5.5 and 6.0 of Internet Explorer (IE). The problem had been fixed six years ago, when it appeared in versions 3.0 and 4.0 of the IE browser.

"It's a concern that a company like Microsoft has a problem that's already been fixed in older versions resurface in newer ones," said Thomas Kristensen, chief technology officer of Secunia.

Microsoft has been plagued by a recent spate of IE vulnerabilities. The latest attack was reported Tuesday. Through a flaw in IE, victims can pick up a program through a pop-up ad that is used to read keystrokes and steal passwords when people visit any of nearly 50 banking sites.

Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The U.S. Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser among six possible responses.

According to the latest bulletin, the vulnerability affects people who have multiple IE browsers open. Through one of the open browsers, hackers can change the content of another Web site without users ever knowing that it has been altered.

Using this attack method, hackers could insert links into legitimate Web pages and direct people to malicious sites where they could solicit personal information such as bank account or credit card information. Because the link comes from a legitimate and trusted site, victims may not realize they have been redirected to a harmful site. Hackers could also insert links that would trick users into downloading malicious software.

"It's a major problem when people can't trust what they are seeing in their browser," Kristensen said.

Another flaw discovered last week turns some Web sites into points of digital infection. The vulnerability was nipped in the bud on Friday, when Internet engineers shut down a server in Russia that had been the source of the malicious code.

Another flaw, discovered earlier this month, installed a toolbar on victims' computers that triggered pop-ups.

CNET News.com's Robert Lemos contributed to this report.

1 comment

Join the conversation!
Add your comment
Don't You Get It?
Everybody keeps saying MS builds sloppy software. But they
keep buying the crap because it runs on hardware that is soo
cheap! As the old saying goes "You get what you pay for."

We should use alternative browsers but MS has integrated IE into
the system so much that we can't even get rid of it. They want to
make everthing an integral part of the system so you will use
only their browser, Music / Video player, and what ever other
crap they want you to use. Yes you can hide it but it is still there
and that is what makes your computer vulnerable.

If I don't want it and won't use it why can't I get rid of it? How
about if you buy a new car and you don't like the car stereo do
do you have to leave that stereo in and add another one that you
like? No you just replace it. If you don't like the spark plugs you
can replace them. Actually if don't like the engine you can even
replace that if you want.

As computers are being call a commodity and are so
commonplace now shouldn't there be some standardization?
When someone tries MS says you need to use our standards.
This is why I use alternative platforms and most non MS
software. I sleep easily knowing my chances of having my
computer controlled by someone else is less than most of the
lemmings.
Posted by wrwjpn (113 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.