Disclosure Of Suspected Flaw In Microsoft IE
A security services company, Xsec's claim that there is a new flaw In Internet Explorer that attackers could exploit to introduce malicious code or cause a 'denial of service'. This is under investigation by Microsoft.
Xsec has alerted Internet users about a recent vulnerability in Microsoft's 'Internet Explorer Web browser' that could trick Web surfers into downloading malicious programs. Xsec is a vulnerability research organization that has outlined the flaw in an advisory, which says it is a result of the way IE, attempts to cite certain COM objects.
The company believes that attackers can capitalize on the flaw by creating a malicious Web page and defraud the user into visiting it. This kind of a Web page would call on the COM objects in a way that would trigger the vulnerability. The ill intending page could then transmit the content to controls such as 'recorded memory addresses' and 'executable instructions'. The flaw could work much better if combined with another IE gap. Web site owners could use the flaw to camouflage their sites' identities by showing a fake address in the IE address and status bars.
Anti-virus security vendor, Symantec views that an attacker can exploit this to run arbitrary code in the affected application. While arbitrating exploits if attempts fail it could lead to a 'denial of service'. Symantec also warned about the availability of a 'proof of concept' code that demonstrates how the flaw can be exploited.
Although Microsoft said that it is not aware of any exploit with the supposed flaw, the company representative said that they are investigating the report. He also complained that criticisms had likewise been made previously by security researchers who tried to make propaganda of software flaws even before software writers could investigate and rectify the problems.
Microsoft has still not received any report of affected customer. The company has plans to distribute an "out of cycle" update adding to its monthly round of security patches. Till a security solution is released, Microsoft advises its customers to use its "Protect Your PC" guidance program in which a firewall, all available product updates and anti-virus software is recommended for installation.
Related article: Disclosure of More Breaches Earlier into TJX Cos. Systems
» SPAMfighter News - 04-09-2006