Researchers have discovered two new vulnerabilities present in Microsofts dominant Internet Explorer browser, one of which has been rated by security experts as critical. Both vulnerabilities affect the Version 6.0 iterations of the browser.
According to virus watchers at the SANS Institutes Internet Storm Center, the flaws were reported to its Full-Disclosure mailing list along with related proof-of-concept code. However, the organization said it has not yet received any reports of the vulnerabilities being exploited in the wild.
Researchers described one of the glitches, which is capable of allowing so-called cross-site scripting attacks, as a critical vulnerability, the organizations most serious rating for emerging threats.
The other flaw was ranked by virus experts at security firm Secunia, in Copenhagen, Denmark, as “less critical,” the second-least serious ranking out of five assigned to such glitches under Secunias system.
Microsoft officials did not offer any further comment on the security issues, but SANS, in Washington, reported that the software giant was aware of the problems and researching their potential impact.
According to SANS, the more serious Internet Explorer vulnerability can be exploited via the use of certain HTML applications designed to trick users into opening a file by double-clicking on it. The questionable file has to be accessible through the softwares SMB or WebDAV (Web-based Distributed Authoring and Versioning) protocols, and can be located on a remote Web site.
Researchers said the proof-of-concept attack they were sent is limited in scope based on the fact that it requires the user to click on an icon to execute any potentially malicious payload, but the organization said it expects to unearth “creative use” of the exploit in the wild “very soon.”
One suggested workaround for the problem is to disable Internet Explorers active scripting capabilities altogether.
The second, less harmful vulnerability is related to the Web browsers handling of a specific type of HTML property in the software. SANS said abuse of this property could allow an attacker to retrieve content remotely when a Web page is viewed by a user.
The company said the vulnerability could be “potentially nasty,” as it could allow attackers to retrieve data from other Web sites a user is logged into, such as a Web mail account, to steal users credentials.
SANS had originally reported that the second issue could also affect Mozillas Firefox open-source browser, but has since rescinded that claim based on input from other researchers.
On June 26, Microsoft took the unusual step of releasing a formal security advisory to warn of the publication of “detailed exploit code” that targeted a critical Windows vulnerability. The software makers security response unit strongly urged Windows users, especially businesses running Windows 2000, to patch the vulnerabilities addressed in the MS06-025 bulletin because of the potential for a worm attack.
The MS06-025 bulletin provides fixes for a pair of code execution flaws in the RRAS (Routing and Remote Access Service) in Windows. On Windows 2000 systems, the flaws carry a “critical” rating because they permit a remote unauthenticated attack vector. Both flaws could allow a remote attacker to take “complete control” of an affected system, and because a blow-by-blow exploit has been published on the Web, Microsoft is bracing for potential attacks.
Microsoft typically addresses security issues in a monthly update.