SANS Spots New IE Vulnerabilities

Two flaws have been discovered in Microsoft's Internet Explorer Web browsing software, one of which has been labeled a critical vulnerability.

Researchers have discovered two new vulnerabilities present in Microsofts dominant Internet Explorer browser, one of which has been rated by security experts as critical. Both vulnerabilities affect the Version 6.0 iterations of the browser.

According to virus watchers at the SANS Institutes Internet Storm Center, the flaws were reported to its Full-Disclosure mailing list along with related proof-of-concept code. However, the organization said it has not yet received any reports of the vulnerabilities being exploited in the wild.

Researchers described one of the glitches, which is capable of allowing so-called cross-site scripting attacks, as a critical vulnerability, the organizations most serious rating for emerging threats.

The other flaw was ranked by virus experts at security firm Secunia, in Copenhagen, Denmark, as "less critical," the second-least serious ranking out of five assigned to such glitches under Secunias system.

Microsoft officials did not offer any further comment on the security issues, but SANS, in Washington, reported that the software giant was aware of the problems and researching their potential impact.

According to SANS, the more serious Internet Explorer vulnerability can be exploited via the use of certain HTML applications designed to trick users into opening a file by double-clicking on it. The questionable file has to be accessible through the softwares SMB or WebDAV (Web-based Distributed Authoring and Versioning) protocols, and can be located on a remote Web site.

Researchers said the proof-of-concept attack they were sent is limited in scope based on the fact that it requires the user to click on an icon to execute any potentially malicious payload, but the organization said it expects to unearth "creative use" of the exploit in the wild "very soon."

One suggested workaround for the problem is to disable Internet Explorers active scripting capabilities altogether.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The second, less harmful vulnerability is related to the Web browsers handling of a specific type of HTML property in the software. SANS said abuse of this property could allow an attacker to retrieve content remotely when a Web page is viewed by a user.

The company said the vulnerability could be "potentially nasty," as it could allow attackers to retrieve data from other Web sites a user is logged into, such as a Web mail account, to steal users credentials.

SANS had originally reported that the second issue could also affect Mozillas Firefox open-source browser, but has since rescinded that claim based on input from other researchers.

On June 26, Microsoft took the unusual step of releasing a formal security advisory to warn of the publication of "detailed exploit code" that targeted a critical Windows vulnerability. The software makers security response unit strongly urged Windows users, especially businesses running Windows 2000, to patch the vulnerabilities addressed in the MS06-025 bulletin because of the potential for a worm attack.

/zimages/2/28571.gifClick here to read more about Microsofts unusual warning about the release of exploit code for Windows.

The MS06-025 bulletin provides fixes for a pair of code execution flaws in the RRAS (Routing and Remote Access Service) in Windows. On Windows 2000 systems, the flaws carry a "critical" rating because they permit a remote unauthenticated attack vector. Both flaws could allow a remote attacker to take "complete control" of an affected system, and because a blow-by-blow exploit has been published on the Web, Microsoft is bracing for potential attacks.

Microsoft typically addresses security issues in a monthly update.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.