Users of Microsofts flagship Internet Explorer browser are sitting ducks for security bypass attacks, according to a warning from a private researcher.
A spokesperson for the software giant acknowledged the MSRC (Microsoft Security Response Center) is investigating public reports of the flaw, which has been rated “moderately critical” by Secunia Inc.
“We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time,” the spokesperson said in a statement released to Ziff Davis Internet News.
Even as Microsoft Corp. is describing the issue as a “possible vulnerability” that “may impact” Internet Explorer, the researcher who discovered the bug has posted a detailed explanation of the risks involved.
In an advisory posted to cgisecurity.net, researcher Amit Klein warned that the bug can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks.
The flaw was identified in IEs implementation of XmlHttpRequest, the Javascript object that allows a client-side Javascript code to send almost raw HTTP requests to the origin host and to access the responses body in raw form.
Klein discovered that input passed to the method parameter in the “open()” function in the “Microsoft.XMLHTTP” ActiveX control isnt properly sanitized before being used in a HTTP request.
This error can be exploited to inject arbitrary HTTP requests via specially crafted input containing tab and newline characters.
Successful exploitation requires that the HTTP request be sent to a server or via a proxy allowing tab characters instead of spaces in certain parts of the HTTP request.
A successful attacker could launch security bypass, data manipulation and information disclosure attacks.
Security alerts aggregator Secunia rates the issue as “moderately critical” and confirmed the vulnerability exists on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2 (Service Pack 2).
Secunia recommended that IE users set the browsers security level to “High” as a temporary precaution.