Extremely Critical IE Flaw Discovered

By | January 10, 2005

Secunia upgraded a vulnerability assessment from last year from “highly critical” to “extremely critical” yesterday. The vulnerability is in Microsoft’s Internet Explorer (IE) 6.0 and affects users of IE on Windows XP Service Pack 2 (SP2).

The update, issued Friday, which is caused by the combination of an HTML Help control flaw and a drag-and-drop vulnerability, bypassing the “Local Computer” zone lockdown security feature in XP SP2.

The vulnerability affects users who visit a website where an attacker has manipulated the site to use the ActiveX Data Object (ADO) model to write arbitrary files onto the user´s computer without the person´s knowledge.

Microsoft had already released a patch for the drag-and-drop vulnerability, but officials were assessing the combo vulnerability´s impact before deciding whether to issue a subsequent patch.

Microsoft officials said the Secunia advisory doesn´t bring anything new to the table.

“This new report describes an exploit that takes advantage of two previously reported vulnerabilities in Internet Explorer,” a statement by Microsoft reads. “Microsoft is currently working on an update to address these vulnerabilities. Customers who have followed our Safe Browsing guidance and have set their Internet Security zone settings to ´high´ are not impacted by this vulnerability. Enterprise administrators who have restricted access to the ´startup´ folder on their network client computers are at a reduced risk from this vulnerability.”

Secunia officials recommend users switch to another type of browser until Microsoft comes up with a fix. Alternatively, they suggest users follow Microsoft´s advice and disable the “drag and drop or copy and paste files” feature in IE and set the security level to “high.”

Secunia also posted a test application for Windows XP SP 2 and IE 6.0 users to determine whether their systems are vulnerable.

Leave a Reply