A flaw in Microsoft Internet Explorer's image rendering capabilities may allow attackers to execute code remotely, a security expert has warned.
Michal Zalewski, a security consultant and author, said he has found a number of possible flaws in the way the Web browser software handles JPEG images. Zalewski said that one of the flaws could be exploited for remote arbitrary code execution, a type of attack that is generally categorized as "critical" by security vendors.
Four proof-of-concept images that aim to exploit these flaws have been posted on the Web by Zalewski. Each of these has the potential to crash IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2. Previous versions of IE may also be affected, according to a SecurityFocus posting. Two of the exploit images also cause memory and CPU problems.
Zalewski said he did not report this bug to Microsoft before publishing it, due to the problems he claims to have experienced with the software giant's bug-reporting process.
"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice," said Zalewski in a posting on security site Neophasis.
"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a representative for the software maker said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."
Earlier this week, another image-processing security vulnerability that affected both IE and MSN Messenger surfaced. That bug was caused by a flaw in the way the applications handle International Color Consortium Profiles, but that problem was fixed by Microsoft in its last set of patches.
More information on the flaws can be found on the SecurityFocus Web site, under bug number 14282 and 14284.
I'm so happy to hear that you didn't say switch to FF because it's been riddle with bugs and missteps lately. See Dog Days for FireFox <a class="jive-link-external" href="http://news.com.com/Dog+days+for+Firefox/2009-1032_3-5798545.html?tag=nefd.lede" target="_newWindow">http://news.com.com/Dog+days+for+Firefox/2009-1032_3-5798545.html?tag=nefd.lede</a>
As for Opera, I love this browsers functionality, it's the best. But if it were popular enough to attract hackers I think it would fare far worse then FF and IE. And for that mater, if the browser market share were reversed with FireFox having 90% of the market it would have 10 times more bugs then IE because hackers(I'm sure they're pissed off Microsoft Devs) are barely creating exploits for it.
Already using 8.0.1 & it's fine for most things. But some sites only work with IE, and they are sites that I HAVE to use - so I have to keep IE too.
You folks that continue to pay Bill for the trash heaps he spews from REDmond make me laugh. What makes someone put up with such c r a p? It can't be the user friendliness, security, ease of use, stability or the total cost of ownership. So what is it?
I guess if everyone switched to OS X or Linux then we wouldn't have trash like Windoze to make us look so good.
All those reasons you mentioned (user friendliness, security, ease of use, stability and the total cost of ownership) work for me. But don't worry; I am sure that you have conviced someone to try Linux with your comment. But not me because I already have this year and it still sux. Again.
Incidently, what do you mean by "continue to pay"? I paid for Win2K once five years ago and I still love it. Do you lease your software or is it so bad that you are itching for the latest upgrade that oozes out?
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
As for Opera, I love this browsers functionality, it's the best. But if it were popular enough to attract hackers I think it would fare far worse then FF and IE. And for that mater, if the browser market share were reversed with FireFox having 90% of the market it would have 10 times more bugs then IE because hackers(I'm sure they're pissed off Microsoft Devs) are barely creating exploits for it.
from REDmond make me laugh. What makes someone put up with
such c r a p? It can't be the user friendliness, security, ease of use,
stability or the total cost of ownership. So what is it?
I guess if everyone switched to OS X or Linux then we wouldn't
have trash like Windoze to make us look so good.
Incidently, what do you mean by "continue to pay"? I paid for Win2K once five years ago and I still love it. Do you lease your software or is it so bad that you are itching for the latest upgrade that oozes out?
Buy a Dell dude and leave Windows on it too.