Windows source code leak leads to IE hole

A bug hunter claims to have uncovered a security flaw in Microsoft Corp.’s Internet Explorer (IE) 5 Web browser by studying Windows source code that was leaked this month.

The vulnerability allows an attacker gain control over a user’s computer by using a specially crafted bitmap file. When loaded using IE 5, the file will trigger an overflow error and allow the attacker to run arbitrary code on a victim’s machine, according to a description of the flaw posted this week on the Web site.

The flaw was uncovered by reviewing IE source code that was part of a larger Windows code leak last week and exists in all versions of IE 5 for all Windows versions, according to the description.

Vulnerable versions of IE are used by millions of Internet users. As of Feb. 16, 17 per cent of Internet users worldwide had some version of IE 5 installed, according to San Diego-based Web tracking company WebSideStory Inc.

Thor Larholm, senior security researcher at PivX Solutions LLC in Newport Beach, Calif., confirmed the vulnerability. He investigated the report and tested code to exploit the flaw.

The IE 5 problem proves the security implications of the code leak, where a malicious coder could take advantage of the source code to find security holes, Larholm said. “This has definitely proven the potential for critical vulnerabilities,” he said.

Microsoft began investigating the vulnerability report on Monday, the company said in a statement. The security problem is a known issue that the Redmond, Wash.-based vendor discovered internally before and fixed in IE 6.0, according to the statement.

Microsoft urges IE 5 users to upgrade to IE 6.0 with Service Pack 1. However, IE 5.01 with Service Pack 2 is still supported, according to Microsoft’s product support Web page. The vendor is working on a patch for this and other versions of IE predating IE 6.0 and is investigating why it did not fix the vulnerability in those versions before, a Microsoft spokesperson said Tuesday.

Microsoft last week said that incomplete portions of its closely-guarded Windows NT and Windows 2000 source code, the blueprints of the operating system software, had been leaked on the Internet.

Analysts and security experts at the time warned that a breach of the Windows source code could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they could exploit.