July 1, 2005 8:55 AM PDT

Microsoft warns of unpatched IE flaw

Related Stories

Keeping pace in the browser business

June 10, 2005

Firefox continues gains against IE

January 21, 2005

IE flaw threat hits the roof

January 7, 2005
Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw.

The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.

"Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time," Microsoft said Thursday in its advisory. "But we are aggressively investigating the public report."

A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to "high" before running ActiveX controls.

The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.

The discovery of this latest IE flaw comes two weeks after Microsoft released several "critical" security patches, including one for IE.Those patches addressed vulnerabilities that allowed for remote execution of code.

17 comments

Join the conversation!
Add your comment (Log in or register)
WHAT IS SO NEW ABOUT THE IE SECURITY FLAW
Microsoft always issues daily warnings as to security flaws in its Windows operating systems or in its IE browsers and issues updates to them. so is there anything new in the discovery of IE security flaw hardly. No matter what Microsoft does the Hackers will find a way to breach the Security. It is because of the way the Internet Infrastructure is designed. It gives too much power to the people who own the Clients. Unless this power is taken awy there is nothing that can be done to stop the Hackers and the Pirates.

There is only one way to stop the Hackers and the Pirates. That way is to make the Browsing Server oriented. That is the server would no longer be required to send any documents and the files to the Clients and the clients be used only to send the commands to the servers.

When this is done even a cellphone could be used to send surfing commands to the Servers which will cause the sales of cellphones to rise exponentially. The Hackers and Pirates would go out of business.

This approach is discussed in the blog at

<a class="jive-link-external" href="http://wirelessera.rediffblogs.com/" target="_newWindow">http://wirelessera.rediffblogs.com/</a>
Posted by newerawisp (47 comments )
Reply Link Flag
Odd
Funny that these 12 year old kids can't get into my Linux install.

It is not the internet infrastructure. It is years of ignoring security at Microsoft that causes these problems. Don't say it is becuase they have the market share. That is a falsehood. The systems that hackers could cause the most damage in are the web servers and mission critical business systems. And no one with any sense trusts MS there.

Put the blame squarely where it belongs: the inept, lazy folks at Microsoft.
Posted by Bill Dautrive (1180 comments )
Link Flag
WHAT IS SO NEW ABOUT THE IE SECURITY FLAW
So instead the server is compromised? A sniffer is established and everyones server traffic is intercepted at the gateway? Thats not a very good solution.

What's new, or rather, newsworthy about this is the fact that Microsoft has ignored this advisory from the company. From the SEC Consult website:

The advisory (IE6 COM instantiation heap corruption) has been released following a mail from microsoft on June,29:

"We have completed our investigation and have determined that the Internet Explorer crash is not exploitable [http://...|http://...] With regards to your report, the product team did not find the heap to be corrupted and nothing from the HTML page made it into the register."



the timeline of this advisory was the following:

2005-06-17 advisory provided to vendor
2005-06-17 initial response
2005-06-29 investigation completed, vendor says bug is not exploitable
2005-06-29 advisory goes to full disclosure &#38; bugtraq
2005-06-30 notification by vendor that the issue was now reproduced

It will be egg in the face for Microsoft if this issue is actually exploitable.
Posted by (9 comments )
Link Flag
I AGREE WITH YOUR RULES
I quite appreciate your concern about privacy which is the formost thing i first consider before registering with your organisation, i thus appreciate and wish to contribute effectively towards your organisation
Posted by (6 comments )
Link Flag
Bogus Microsoft patch rec'd in email
Hi there,

Looks like someone out there is taking advantage of the most recent security flaw in IE6. I received a fake patch today in my email where the subject line read: "Use this patch immediately!" It had an attachment along with, and was 14k in size. I know Microsoft never uses attachments, so I reported it to MS and Yahoo. Of course I did not open it.
Posted by grannyQ (1 comment )
Reply Link Flag
Not only that
Not only do M$ not send attachments - they do NOT send emails - chuck it in the bin &#38; ignore it.

Personally, I'd put on the fire-retardant gloves &#38; move it into my isolation booth with my collection of virii, trojans &#38; other suspect packages. One day I'm going to start sending some of these to the spammers - if I can ever find them :-)
Posted by (409 comments )
Link Flag
Windowzers continue to be taken for a ride!
You Windowzers will one day wake up from your drunken stupor
and realize that Billyboy is taking you for a long ride down a one
way street. He is laughing at you inept users that continue to bend
over and take the trash they spew from Redmond.

Why do you put up with this trash?!?!? I hope you enjoy the ride.
Ignorance is bliss.
Posted by (57 comments )
Reply Link Flag
haha
lol, i love the bend over and take it line. hahaha!!!
Posted by Scott W (419 comments )
Link Flag
...
And insulting them is somehow supposed to convince them to switch?
Posted by the.wake (7 comments )
Link Flag
Windowzers continue to be taken for a ride!
As opposed to being taken for a ride by Torvalds/De Raadt/whoever is heading up whichever flavor of Linux this week?

I'm not definding Microsoft by any stretch of the imagination, but any one Linux Distro on average suffers from roughly twice the amount of security flaws as Microsoft does. Read bugtraq or full-disclosure sometime and count how many there are.

Then of course, theres secondary applications, the most irritating of which is PHP and other web-boards, which keeps the majority of site defacers in business. The majority of these secondary applications that have holes found in them are Linux based.

Has Microsoft been irresponsible with their Security efforts? Absolutely, but so has Linux. Many tout OpenBSD as "Secure out of the Box", which is not only incorrect, but wildly irresponsible.
Posted by (9 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Inside CNET News

1-2 of 10

Scroll Left Scroll Right

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.28%) 0.08 30.58
Dow Jones Industrials (0.57%) 72.81 12,874.04
S&P 500 (0.68%) 9.13 1,351.77
NASDAQ (0.95%) 27.51 2,931.39
CNET TECH (0.84%) 17.13 2,049.14
  Symbol Lookup