More Microsoft browser vulnerabilities reported
- By William Jackson
- Mar 23, 2006
Two new vulnerabilities in Microsoft's Internet Explorer Web browser have been reported in the last week'an overflow problem that could crash the browser and another that could allow exploit of malicious code on the victimized computer.
No exploits for these vulnerabilities have been reported, but the problem allowing exploit of code was rated 'highly critical' by Secunia, the Copenhagen-based security monitoring company which reported it.
As disturbing as the severity of the vulnerability is the fact that both were published before Microsoft had a chance to provide patches for them. The accepted protocol for security researchers is to give a vendor an opportunity to correct the problem with a software patch or a work-around before publishing details.
The overflow vulnerability was reported March 16 on the SecurityFocus Web site
'I eagerly await due reprimand from Microsoft for not disclosing this vulnerability in a manner that benefits them most,' the poster Michal Zalewski said.
According to the post, the vulnerability is triggered by specifying a large number of script action handlers on an HTML tag in a Web site. The problem has been verified on a fully patched version of Internet Explorer 6 with Windows XP Service Pack 2.
The more severe vulnerability, called the IE 'createTextRange()' Code Execution, was reported Wednesday by Secunia
. The processing error could be exploited by a malicious Web site to corrupt memory and allow the program flow to be redirected.
Secunia reports that Microsoft currently is working on a patch for the problem, but the company has not commented publicly on the vulnerabilities. Microsoft typically issues patches on the second Tuesday of each month. The next 'Patch Tuesday' is April 11. There has been no word on whether the vulnerabilities will be included in that release.
Security companies, such as Smoothwall Ltd. of the U.K., have begun updating blocking rules to protect against the vulnerabilities. Smoothwall CEO George Lungley said the early publication of the vulnerabilities, which can open the way for 'zero day' attacks, is worrisome.
'In recent times, people have been more disciplined,' about release of such information, Lungley said. Although exploits have not been reported, malware writers typically follow up on vulnerabilities quickly.
'It will be interesting to see how quickly Microsoft responds to these things,' he said.
He said embedding code in Web pages is an increasingly common vector for malware, replacing e-mail as the delivery mechanism of choice for viruses and Trojans.
William Jackson is a Maryland-based freelance writer.