November 28, 2003 5:55 PM PST

New flaws reported in IE 6

Newly discovered security flaws in Microsoft's Internet Explorer could let attackers invade a user's PC, but a fix is not yet available.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Danish security firm Secunia warned that when used together, the flaws could allow an attacker to execute malicious code on a user's PC.

The flaws were reported this week by researcher Liu Die Yu, who posted the information on public security messaging boards, and appear to exist on PCs that are patched with the latest Microsoft security updates. Users are advised to switch off active scripting in Internet Explorer until a patch becomes available, or to use a non-IE browser.

Instructions on disabling active scripting, which may keep some sites from functioning properly, are available from the Computer Emergency Response Team.

One of the flaws is a cross-site scripting vulnerability, allowing scripts from one security domain (such as the Internet) to execute with the security privileges of another domain (such as My Computer).

Special report
A 20-year plague
Decades after creation,
viruses defy cure

Secunia said it had verified the flaw on IE 6, but the problems may affect earlier versions of the browser. "Other versions may also be affected, and have been added (to the advisory) due to the criticality of these issues," the company said in a statement.

Microsoft has said it is investigating the issue, and may issue a fix as part of its monthly patch release, or separately, depending on the severity of the problem. Microsoft's last cumulative monthly patch was issued on Nov. 12.

Matthew Broersma of ZDNet UK reported from London.


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.