Three new security vulnerabilities in Microsoft Corp.s newest Internet browser give attackers the ability execute arbitrary code and read files stored on target machines.
All of the flaws affect Internet Explorer 6.0, and two of them also affect IE 5.5. Microsoft has given all three vulnerabilities critical ratings, its most serious designation.
The most severe flaw involves the way that IE 6.0 handles content-disposition and content-type header fields. The fields, along with the URL and the hosted file data, determine how a file is handled when it is downloaded by IE, according to a Microsoft bulletin.
By altering the HTML header in a specific manner, an attacker could force IE to open an executable file upon download, without asking the user for permission. Thus, an attacker could create an HTML mail message or Web page capable of automatically running code on a vulnerable machine.
A simple workaround for this vulnerability is to disable file downloads in the Security Zone in which the file is received, most often the Internet or Intranet zones. This is not the default setting for either zone, however, so the change must be made manually.
The second flaw--affecting both IE 5.5 and 6.0--is a variant of a previously discovered problem that enables a Web-site operator to open two browsers, one in the sites domain and another on the users machine, and pass information from one to the other. This enables the attacker to read, but not modify, files on the users machine that can be opened in a browser, such as HTML or image files.
A third flaw in IE 5.5 and 6.0 under some circumstances enables an attacker to change the name of a file in the dialog box that appears when a file is being downloaded from the Internet. The vulnerability can be exploited via HTML mail or a Web page and can be used to trick users into opening malicious files.
Microsoft has included patches for all three vulnerabilities in a new roll-up package that also contains fixes for all previously discovered flaws in IE 5.5 and 6.0.
The package is available at Microsofts security site.