New critical vulnerabilities discovered in IE

A set of new security vulnerabilities have been discovered in Microsoft Corp.’s Internet Explorer (IE) Web browser which used together could allow hackers to compromise user PCs, researchers warned Tuesday.

The five vulnerabilities have been reported in IE 6.0, although other versions may have been affected, according to a bulletin released by security company Secunia Ltd.

The scripting flaws could allow hackers to bypass security and compromise systems, giving them access to sensitive information and cross-site scripting, according to Secunia.

The Copenhagen, Denmark, company has classified the vulnerabilities as “extremely critical” and is advising all IE users to disable Active Scripting or “use another product.”

“If they care about Internet security, users should make sure to disable active scripting,” Secunia chief technology officer (CTO) Thomas Kristensen said Wednesday.

Microsoft is currently investigating the new vulnerability reports but is not aware of any active exploits or customer impact at this time, according to a representative for Microsoft.

Upon completion of its investigation, Microsoft may release a fix in its next monthly security update or an out-of-cycle fix if needed, the representative said.

However, Kristensen said he doubts that the software giant will break its monthly patch release cycle to address the issues.

“I would be happy to see them break their cycle because it affects customers, but I doubt it,” he said.

The security flaws were originally discovered by Chinese security researcher Liu Die Yu, who published the vulnerabilities and proof of concept evidence Tuesday.

The Microsoft representative said that the company is “concerned that the new reports of vulnerabilities in IE were not disclosed responsibly, potentially putting computer users at risk.”

The company advised users to download its latest IE cumulative patch, released Nov. 11, while it looks into the new vulnerabilities.