A new security hole—the latest in a series of Windows-related flaws uncovered in the last month—has been discovered in Microsofts Internet Explorer browser that could allow a remote attack by a hacker on computers or servers running Windows XP with Service Pack 2.
eEye Digital Security broke the news of the vulnerability Thursday. The flaw is apparent only in the default installations of the IE browser, the company said.
“The security hole is a client-side problem,” said Steve Menzuik, eEye Digitals security products manager in the research group.
“The only way the average user would be affected by this is if an attacker decided to hack into a Web site and deploy malicious code, and a person using the IE browser happened to come to that site at the same time. Then the users machine would be open to the same malicious code.”
If a busy Web site, such as Amazon.com or eBay.com, were hacked through this vulnerability, Menzuik told eWEEK.com, then there would be a greater possibility of the malicious code spreading to a large number of machines.
“But this is only a remote possibility,” Menzuik said. “Ive not seen something like that happen in the 14 years Ive been working in Internet security.”
Browser industry analyst Michael Gartenberg of Jupiter Research told eWEEK.com that this latest reported vulnerability is “not surprising. Microsoft continues to be the most tempting target for hackers and probably will be for the foreseeable future. Ironically, many people bought [Windows] SP2 because Microsoft offered it as being stronger in security.”
Gartenberg said users should remember that “security on the Internet is a two-way street between vendors and users.
/zimages/2/28571.gifClick hereto read more about a recent critical flaw in Internet Explorer.
People browsing the Internet have to “lock their own doors and windows,” and be prepared to take whatever action necessary to keep their own data secure. Microsoft and other companies are certainly doing their part.”
Microsoft issued a cumulative patch addressing three “critical” vulnerabilities for IE only a month ago. The Redmond, Wash.-based corporation postponed its monthly Windows patch this week.
“Microsoft is aware of this report and is examining all the details, as always,” a Microsoft spokesperson told eWEEK.com Friday. “We are not aware of any [hacking] attacks nor of any users who have been impacted by this.”
The spokesperson said that because the details of the vulnerabilities have not been made public, users are not currently at risk of an exploit being developed to take advantage of the flaw.
/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.