Security outfit Secunia has news of further exploits for Microsoft's browser, Internet Explorer. Three new problems have come to light, all of them critical, and all of them having potential to do serious damage to Internet Explorer users.
The first problem relates to IE not checking items that are dragged and dropped from the Internet zone to the local zone; IE fails to check for images or media embedded in HTML code. A website could place HTML code on a users system, which could subsequently execute code in the local zone. The second issue relates to IE's HTML help control; a specially crafted help (.hhk) file can execute potentially malicious code and could also execute local programs; this vulnerability can also by-pass the "Local Computer" zone lock down security feature in SP2. Finally, a bug in the way IE handles the "Related Topics" command in an embedded HTML Help control can be exploited to allow the execution of malicious code. For a more detailed explanation of the problems, see Secunia's advisory.
One Neowin reader notes a particularly nasty example of the potential these exploits have. Microsoft have yet to offer a patch for the problems. Internet Explorer users (including v5.x+, v6.x+) and XP users with SP2 installed are affected. Until Microsoft takes the browser problems seriously, one can only suggest that users jump ship and try something else. An Internet Explorer re-vamp in 2006 with Longhorn is fast becoming too far away for ever tiring web users.
View: Secunia Advisory | CERT Response
View: Test vulnerability
The first problem relates to IE not checking items that are dragged and dropped from the Internet zone to the local zone; IE fails to check for images or media embedded in HTML code. A website could place HTML code on a users system, which could subsequently execute code in the local zone. The second issue relates to IE's HTML help control; a specially crafted help (.hhk) file can execute potentially malicious code and could also execute local programs; this vulnerability can also by-pass the "Local Computer" zone lock down security feature in SP2. Finally, a bug in the way IE handles the "Related Topics" command in an embedded HTML Help control can be exploited to allow the execution of malicious code. For a more detailed explanation of the problems, see Secunia's advisory.
One Neowin reader notes a particularly nasty example of the potential these exploits have. Microsoft have yet to offer a patch for the problems. Internet Explorer users (including v5.x+, v6.x+) and XP users with SP2 installed are affected. Until Microsoft takes the browser problems seriously, one can only suggest that users jump ship and try something else. An Internet Explorer re-vamp in 2006 with Longhorn is fast becoming too far away for ever tiring web users.
View: Secunia Advisory | CERT Response View: Test vulnerability
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.