Microsoft details IE vulnerability

An attacker can automatically store and execute a malicious program on a user’s PC by exploiting a flaw in Microsoft Corp.’s Internet Explorer (IE) Web browser, the software maker has warned in a security bulletin.

IE 6.0 is flawed in the way it handles the Content-Disposition and Content-Type HTML (HyperText Markup Language) header fields on a Web page, Microsoft said. These fields, together with the hosting URL (Uniform Resource Locator) and the hosted file details, determine how IE handles a file after download, the company said.

An attacker can misrepresent the file type by altering the headers on a Web page or in an HTML e-mail message. IE then automatically downloads and executes the program when a user visits the Web site or views the e-mail message either in the preview pane or by opening it in an e-mail client that uses IE, such as Outlook Express, Microsoft said.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download.

The flaw also exists in IE versions 5.5 and 5.0, according to Oy Online Solutions Ltd., a Finnish security company credited by Microsoft for discovering the flaw. IE 5.5 with service pack 2 (SP2) installed isn’t affected, Microsoft and Oy Online Solutions said. Microsoft only offers “hotfix support” for IE 6.0 and 5.5 with SP2, the latest IE versions.

An attacker could hijack a user’s system and do anything a user could. The machine might be used in distributed denial of service (DDoS) attack or to spread viruses, Oy Online Solutions said.

Microsoft included a patch for the flaw in a cumulative software patch for IE versions 6.0 and 5.5 with SP2. The cumulative patch fixes all known bugs as well as three new ones, including the automatic file download and execute vulnerability.

Another new fix is one for a bug Oy Online Solutions made public in November. The file name in the IE download dialog box can be faked, potentially tricking a user into downloading and installing a malicious program on his PC by disguising it as an innocent file. This affects both IE5.5 SP2 and IE6.0, Microsoft said.

“This flaw led an expert at the Finnish company to discover the more serious automatic file download and execute flaw,” said Oy Online Solutions managing director Jyrki Salmi.

There have been no reports of the most serious flaw being exploited, according to Salmi. However, he added, it isn’t hard to find and exploit the hole.

“Somebody who is familiar with IE could be able to find the flaw based on information Microsoft provided and then it is fairly easy to exploit the flaw,” he said. “This should be made very public and users should upgrade IE.”

A third newly discovered flaw for which a patch is now available is a frame domain verification flaw. This flaw allows a malicious Web site operator to read any file on the user’s PC that can be opened in a Web browser and affects both IE 5.5SP2 and IE 6.0, Microsoft said

The file download and execution vulnerability is critical, according to Microsoft. The two other flaws are described as “moderate.”

Oy Online Solutions Ltd. in Jyv

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now