Microsoft Ups IE Flaw to Critical | eWeek

Microsoft Ups IE Flaw to Critical

Écrit par
Dennis Fisher
Dennis Fisher
Dec 9, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. on Friday upgraded the severity rating of its most recent cumulative patch for Internet Explorer after a security researcher posted to a mailing list information that showed a new flaw was more serious than the software giant realized.

The patch, released last Wednesday, fixes a vulnerability in IE 5.5 and 6.0 in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages.

An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.

Microsofts original bulletin said that an attacker could not use the flaw to run code on a users machine, and the vulnerability was rated “moderate.” However, a Danish security expert, well-known for finding vulnerabilities in IE, disputed this claim, saying that the flaw could be used to execute code on vulnerable machines. Thor Larholm, a vulnerability researcher at PivX Solutions LLC in Newport Beach, Calif., said Microsoft deliberately downplayed the severity of the problem. Officials at the Microsoft Security Response Center in Redmond, Wash., rejected this claim, saying that they had not been able to reproduce the results that Larholm had achieved.

However, after further investigation, the MSRC was able to use the vulnerability to run code on another users machine. As a result, the company upgraded the severity of the vulnerability to “critical,” the most severe rating.

“Information posted to [BugTraq] shortly after the release of MS02-068 prompted an investigation that uncovered a previously unknown exploit scenario. The newly discovered exploit scenario—still based on a vulnerability fixed in MS02-068—could allow a malicious user to run code on a users computer via a specially crafted Web site or e-mail message—thus warranting a severity rating of critical,” said a Microsoft spokesman.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.