Flaws in IE Upgraded to Critical Rating

Microsoft also releases patches for 8 new vulnerabilities in Java virtual machine software.

Security issues continue to haunt Microsoft Corp., as the software company recently disclosed several serious vulnerabilities in its Java implementation and was forced to restate the severity of two flaws in Internet Explorer.

The Redmond, Wash., company earlier this month upgraded the severity rating of a vulnerability in the way that IE handles PNG (Portable Network Graphics) images. The browser fails to correctly check the parameters of PNG files when it opens them, which can result in a buffer overrun. Other Microsoft applications, including Office products, use IE to render PNG images, and using this vulnerability against one of these applications could allow an attacker to run code on a users machine.

In its original advisory Nov. 20, Microsoft gave this vulnerability a rating of "important" but on Dec. 12 escalated it to "critical," the highest rating. The change resulted from research by eEye Digital Security Inc., which discovered that it was possible to run code on remote users systems.

The first version of the bulletin said that an attacker could force IE to crash only by exploiting this flaw. eEye published its advisory on the BugTraq security mailing list Wednesday.

This was the second time in about a week that Microsoft had moved to upgrade the severity rating of a vulnerability. The company Dec. 4 released a cumulative patch for IE, which also fixes a new flaw that the company said could allow a Web site to access information on users machines.

The company rated the vulnerability as "moderate" and said that attackers could read but not change files on a vulnerable machine or run without parameters an executable file already present on the computer. However, a well-known security researcher posted a message to BugTraq disputing Microsofts assessment of the vulnerability, saying that the flaw is much more severe than the company reported.

"Microsoft has given this vulnerability a maximum severity rating of moderate. Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft," wrote Thor Larholm, a Danish security researcher with PivX Solutions LLC, a Newport Beach, Calif., security consultancy.

Microsoft later upgraded the severity rating to "critical."


Recent security problems for Microsoft
  • Dec. 4 Microsoft issues patch for object-caching flaw in IE
  • Dec. 6 Microsoft upgrades severity of object-caching flaw
  • Dec. 11 Microsoft issues fix for eight flaws in Virtual Machine
  • Dec. 12 Microsoft forced to upgrade severity of PNG flaw to "critical"
Microsoft also recently released fixes for eight new vulnerabilities in its VM (Virtual Machine) software, the most serious of which gives attackers the ability to take control of vulnerable PCs. VM runs Java applets in Windows environments and ships with most versions of Windows and IE.

The most dangerous of the new flaws lies in the way that Java programs access COM (Component Object Model) objects. The vulnerability allows untrusted applets to access some COM objects that make it possible for an attacker to compromise a target system. Two of the other vulnerabilities allow a Java applet to disguise the location of its code base. This, in turn, could allow an applet on a Web site to mask its location and act as if it were located on a users machine or network.

There is also a vulnerability that results from the VMs failure to prevent applets from calling a certain set of APIs that provide database access methods. An attacker who exploits this flaw could take any action on a database file, limited only by the local users permissions.

The four other vulnerabilities are less serious.