Microsoft Patches Two IE Flaws
Both flaws involve problems with Internet Explorer's cross-domain security model.Microsoft Corp. on Wednesday released another cumulative patch for Internet Explorer that fixes two new critical vulnerabilities in the browser. The two flaws are somewhat related in that they both involve problems with IEs cross-domain security model. The first vulnerability could allow an attacker to run malicious code on a users machine by misusing certain dialog boxes. In order to exploit the issue, the attacker would need to create a malicious Web page and then entice a user to visit the page. Once the user visits the page, the attacker could misuse a dialog box in such a way that the script could access information in a different domain and possibly execute code on the users machine. The other flaw allows IEs showHelp() function to execute without the correct security checks. This function is used to display HTML pages with help content, but it allows more pluggable protocols than it should. This could enable an attacker to access user information, run executables that are already on the users machine or execute arbitrary code on the users PC.
Both vulnerabilities affect IE 5.01, 5.5 and 6.0.