Two New IE Bugs Uncovered

A pair of unpatched bugs in Microsoft's popular Internet Explorer browser may soon be in play, as proof-of-concept code has gone public for both.
Security analysts Wednesday warned users of a pair of unpatched bugs in Microsoft's popular Internet Explorer browser that may soon be in play because proof-of-concept code has gone public for both.

The two vulnerabilities have been detailed on the Full Disclosure security mailing list, and were the root of alerts issued by the SANS Institute's Internet Storm Center and Symantec Corp. on Wednesday.

One vulnerability lets attackers execute their code remotely if they can dupe users into double-clicking on a file included in a malicious Web page. The Internet Storm Center claimed that the current proof-of-concept exploit code requires this kind of user interaction, but that went on to warn that "we can expect to find creative use of this exploit in the wild very soon." According to the ISC, disabling IE's active scripting capabilities might protect against an exploit of the bug.

The second flaw is due to a failure of IE to enforce cross-domain policies, Symantec said in a warning to customers of its DeepSight threat system. IE, which has been victimized by numerous cross-domain vulnerabilities, could be exploited to hijack usernames and passwords.

"This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites [that the] user is logged into (for example, webmail) and harvest user credentials," said the ISC note. "Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs."

Danish bug tracker Secunia rated the pair as "less critical," and posted a test users can run to see if their browser is vulnerable to the cross-domain flaw.

According to Secunia's quick test, IE 7 Beta 2 is not vulnerable to the cross-domain vulnerability. That's not surprising, since the Redmond, Wash. developer has claimed the browser's code was rewritten to reduce its cross-domain scripting profile.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing