Version: 2008
  • On The Insider: Britney's Bikini-Clad Top 10

July 1, 2005 8:55 AM PDT

Microsoft warns of unpatched IE flaw

  • 17 comments
Related Stories

Keeping pace in the browser business

June 10, 2005

Firefox continues gains against IE

January 21, 2005

IE flaw threat hits the roof

January 7, 2005
Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw.

The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.

"Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time," Microsoft said Thursday in its advisory. "But we are aggressively investigating the public report."

A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to "high" before running ActiveX controls.

The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.

The discovery of this latest IE flaw comes two weeks after Microsoft released several "critical" security patches, including one for IE.Those patches addressed vulnerabilities that allowed for remote execution of code.

See more CNET content tagged:
flaw, vulnerability, research company, Microsoft Internet Explorer, security

Add a Comment (Log in or register) (17 Comments)
  • prev
  • 1
  • next
WHAT IS SO NEW ABOUT THE IE SECURITY FLAW
by newerawisp July 1, 2005 9:43 AM PDT
Microsoft always issues daily warnings as to security flaws in its Windows operating systems or in its IE browsers and issues updates to them. so is there anything new in the discovery of IE security flaw hardly. No matter what Microsoft does the Hackers will find a way to breach the Security. It is because of the way the Internet Infrastructure is designed. It gives too much power to the people who own the Clients. Unless this power is taken awy there is nothing that can be done to stop the Hackers and the Pirates.

There is only one way to stop the Hackers and the Pirates. That way is to make the Browsing Server oriented. That is the server would no longer be required to send any documents and the files to the Clients and the clients be used only to send the commands to the servers.

When this is done even a cellphone could be used to send surfing commands to the Servers which will cause the sales of cellphones to rise exponentially. The Hackers and Pirates would go out of business.

This approach is discussed in the blog at

http://wirelessera.rediffblogs.com/
Reply to this comment
Odd
by Bill Dautrive July 1, 2005 10:15 AM PDT
Funny that these 12 year old kids can't get into my Linux install.

It is not the internet infrastructure. It is years of ignoring security at Microsoft that causes these problems. Don't say it is becuase they have the market share. That is a falsehood. The systems that hackers could cause the most damage in are the web servers and mission critical business systems. And no one with any sense trusts MS there.

Put the blame squarely where it belongs: the inept, lazy folks at Microsoft.
View all 2 replies
WHAT IS SO NEW ABOUT THE IE SECURITY FLAW
by July 6, 2005 7:11 AM PDT
So instead the server is compromised? A sniffer is established and everyones server traffic is intercepted at the gateway? Thats not a very good solution.

What's new, or rather, newsworthy about this is the fact that Microsoft has ignored this advisory from the company. From the SEC Consult website:

The advisory (IE6 COM instantiation heap corruption) has been released following a mail from microsoft on June,29:

"We have completed our investigation and have determined that the Internet Explorer crash is not exploitable [http://...|http://...] With regards to your report, the product team did not find the heap to be corrupted and nothing from the HTML page made it into the register."



the timeline of this advisory was the following:

2005-06-17 advisory provided to vendor
2005-06-17 initial response
2005-06-29 investigation completed, vendor says bug is not exploitable
2005-06-29 advisory goes to full disclosure & bugtraq
2005-06-30 notification by vendor that the issue was now reproduced

It will be egg in the face for Microsoft if this issue is actually exploitable.
I AGREE WITH YOUR RULES
by July 14, 2005 3:31 AM PDT
I quite appreciate your concern about privacy which is the formost thing i first consider before registering with your organisation, i thus appreciate and wish to contribute effectively towards your organisation
Bogus Microsoft patch rec'd in email
by grannyQ July 1, 2005 5:37 PM PDT
Hi there,

Looks like someone out there is taking advantage of the most recent security flaw in IE6. I received a fake patch today in my email where the subject line read: "Use this patch immediately!" It had an attachment along with, and was 14k in size. I know Microsoft never uses attachments, so I reported it to MS and Yahoo. Of course I did not open it.
Reply to this comment
Not only that
by July 1, 2005 8:57 PM PDT
Not only do M$ not send attachments - they do NOT send emails - chuck it in the bin & ignore it.

Personally, I'd put on the fire-retardant gloves & move it into my isolation booth with my collection of virii, trojans & other suspect packages. One day I'm going to start sending some of these to the spammers - if I can ever find them :-)
Windowzers continue to be taken for a ride!
by July 1, 2005 9:46 PM PDT
You Windowzers will one day wake up from your drunken stupor
and realize that Billyboy is taking you for a long ride down a one
way street. He is laughing at you inept users that continue to bend
over and take the trash they spew from Redmond.

Why do you put up with this trash?!?!? I hope you enjoy the ride.
Ignorance is bliss.
Reply to this comment
haha
by Scott W July 2, 2005 9:45 AM PDT
lol, i love the bend over and take it line. hahaha!!!
...
by the.wake July 2, 2005 12:16 PM PDT
And insulting them is somehow supposed to convince them to switch?
View reply
Windowzers continue to be taken for a ride!
by July 6, 2005 7:42 AM PDT
As opposed to being taken for a ride by Torvalds/De Raadt/whoever is heading up whichever flavor of Linux this week?

I'm not definding Microsoft by any stretch of the imagination, but any one Linux Distro on average suffers from roughly twice the amount of security flaws as Microsoft does. Read bugtraq or full-disclosure sometime and count how many there are.

Then of course, theres secondary applications, the most irritating of which is PHP and other web-boards, which keeps the majority of site defacers in business. The majority of these secondary applications that have holes found in them are Linux based.

Has Microsoft been irresponsible with their Security efforts? Absolutely, but so has Linux. Many tout OpenBSD as "Secure out of the Box", which is not only incorrect, but wildly irresponsible.
View reply
(17 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.07%) 0.02 29.01
Dow Jones Industrials (0.20%) 20.03 10,246.97
S&P 500 (-0.01%) -0.07 1,093.01
NASDAQ (-0.14%) -2.98 2,151.08
CNET TECH (0.21%) 3.30 1,571.59
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right