November 17, 2004 3:35 PM PST

More security hiccups for IE

Microsoft's Internet Explorer has become a turkey shoot for flaw finders.

This week, three more vulnerabilities were found in version 6 of the software giant's flagship Web browser, security information provider Secunia said on Wednesday. That brings the total number of IE vulnerabilities disclosed in the past two months to 19, including eight flaws fixed by Microsoft during its October patch cycle.

The latest flaws were found by two different researchers, Secunia said. Two could be used together to allow malicious content to bypass an mechanism in Microsoft Windows XP Service Pack 2 that alerts people about potentially harmful programs, Secunia stated. The third vulnerability could be used to overwrite the cookies of a trusted site to hijack a Web session, if the site handles authentication in an insecure manner, according to that advisory.

The flaws were rated "moderately critical" and "not critical," respectively, by Secunia.

"We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," Microsoft said in a statement sent to CNET News.com.

The company said that customers who needed advice should visit its software security site and its PC Protect site for home users. Microsoft also criticized the researchers for publicizing the flaws without allowing it to work to solve the problems first.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

Security researchers and hackers, however, are not paying heed to the software giant's standard chastisement of public disclosure. In the past two months, flaw finders have publicized critical Internet Explorer vulnerabilities and a slew of security issues in Service Pack 2, the company's latest update to Windows XP.

Already, viruses have started to use the critical Internet Explorer flaw to spread.

8 comments

Join the conversation!
Add your comment
Typical IE
Once again Microsoft just proves how sucky they can be. First they boast their software on slashdot.org as being as "secure" as any other browser out there (Firefox). Pah dont make me laugh. One day I look to see Microsoft Corp's main domain shut down due to these "flaws" in their software. That would be the most ironic thing to happen ever after making that bold statement.
Posted by Hawkster78 (7 comments )
Reply Link Flag
More proof
That they are nothing but ostriches. "More secure then Firefox"? "More secure then Linux"? I suppose a retarded crackhead might buy that, no one else.

If they put the same effort as they do into protecting themselves from piracy and illegally running others out of business, they truly would be the best software company in the world. Instead they occasionally rise out of the crap pile and assume mediocrity, but usually they are just swimming in the sewers.
Posted by (242 comments )
Reply Link Flag
More secure then Linux
<a class="jive-link-external" href="http://www.analogstereo.com/jaguar_s-type_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jaguar_s-type_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Security Flaw info release
If there's a flaw... chances are that the culprits are already aware of it regardless of whether it's made public or not.

Thus debating whether or not to publicize the hack could be a matter of important information for many IT managers.

And it has always been time to delivery for patches that has made or broke companies in the past... I don't see why it should be any different this time.

If Microsoft's IE were more secure, these kinds of problems would not be as great. It's because MS hasn't been held accountable in the past that they've been able to get away with such slack security in the first place.

I say it's time to bite the bullet and warn those AS the holes are found so that they can make the proper decisions (stop using IE or continue making IE the defacto browser) needs to be fessed up in many corporations.

Network is only as strong as it's weakest link and IE is proving to be that weakest link.
Posted by wbenton (522 comments )
Reply Link Flag
Hmmm
Maybe this is all part of Microsoft's long term strategy? Put so many security holes/bugs into their operating systems and browsers that the hacker community will be so overwhelmed with choices of which vulnerabilty(s) to take advantage of that the hackers will unable make a choice. Or maybe MS is trying to take the 'challenge' out of hacking, make it so easy to screw with someones machine from afar that the jerk who writes viruses will no longer get a rush out making a nuisance of himself... since everyone will be able to do it eventually.

If MS keeps making their products like they have been, their products are eventually going to have more 'holes' in them than they have content.

Oh and keep releasing those security holes to the public. Telling MS in secret about a security hole will just create a secret security hole MS won't fix cause no one knows about it (but the hackers of course).
Posted by cm6096 (21 comments )
Reply Link Flag
This is kinda what I mean
Every time someone thinks that they are "upgrading" their windows machine, They are actually getting is a new list of security issues. The only way to play this game and win is just not to play. Older vulnerabilities would be easier to deal with than trying to keep up this rat race of constantly updating and upgrading to the latest patch and newest fix. THESE ARE NOT FIXES. These are just new problems.

My only suggestion to any of you would be just to stay away from WindowsXP all together. I know that most of you will continue to use it. But, if you must use it, then I suggest NOT updating, upgrading, or patching....doing this will only lead to further trouble. Go through some other means of protection, through hardware perhaps. I for one will NEVER use XP.

A hacker somewhere in Germany would be much easier to protect yourself from than Microsoft.

Things are getting way out of hand. I choose to just stay away from the dubious crap that MS is turning into. This problem was not always this bad. With every new incarnation of Windows, newer and bigger problems result.
Posted by Prndll (382 comments )
Link Flag
Sorry, Bill
So if bill's idea falls through, your passwords are secure. Am I
the only one who still doesn't feel safe? Rooting a windows box
is 4 minutes for a script kiddie on neworder.box.sk, or some
other site, and guess what? Very few of those exploits involve
any form of password. We might be secure if we all used
thumbscanners, optical scanners, and voice identification, but
then again, our computers would also be fairly secure in a safe
in the middle of fort knox. Secure, but not convienent. I say if
people are having security problems with thier windows, get a
free-BSD or something. You know, a REAL computer.
Not trying to flame or anything, hell one of my computers is
windows, just pointing out what should be obvious.

-Charre
Posted by (15 comments )
Reply Link Flag
Posted in wrong thread. Damn it.
Hehe. As the title says, I just made one of the lamest yet most
common mistakes. Had two windows open, and posted the
above in the wrong one. Please, kill me fast. I don't want to have
to feel the pain. ;p. But seriously, the thread I MEANT to post in
is <a class="jive-link-external" href="http://news.cbsi.com/Gates+Passwords+passe/2100" target="_newWindow">http://news.cbsi.com/Gates+Passwords+passe/2100</a>
-1029_3-5454719.html?tag=cd.top

-Charre
Posted by (15 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.