More Security Holes Found In Internet Explorer 6.0 - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
11/19/2004
08:16 AM
50%
50%

More Security Holes Found In Internet Explorer 6.0

Three more vulnerabilities in Microsoft's Internet Explorer 6.0 browser were disclosed by Danish security vendor Secunia.

Three more vulnerabilities in Microsoft's Internet Explorer 6.0 browser were disclosed Wednesday by Danish security vendor Secunia, bringing the total of IE bugs found by the firm in the last two months to an even dozen.

Two of the flaws were tagged as "moderately critical" by Secunia, which relayed the warnings from a pair of researchers in an online alert posted to its site. One relates to the Windows XP SP2 feature that warns users when opening certain types of downloaded files, such as .exe files. A hacker could create a HTTP header or a specially-made URL, said Secunia, to bypass that warning.

The second of the pair involves a bug in how some documents are saved using a Javascript function. The vulnerability can be exploited to spoof the file extension in the "Save HTML Document" dialog box.

"A combination of [the] vulnerabilities can be exploited by a malicious Web site to trick a user into downloading a malicious executable file masqueraded as a HTML document," said Secunia in its online advisory.

There is no fix for the two IE holes since they can even be exploited on Microsoft's newest edition of IE 6.0, the one delivered with SP2.

The third flaw, dubbed "not critical," stems from a how IE 6.0 handles cookies. It might be possible for a hacker, using a malicious Web site, to hijack a Web session (although not compromise the computer itself).

Internet Explorer and Windows XP SP2 have been taking hits of late from security researchers. A week ago, Finjan Software said that SP2 had 10 unpatched vulnerabilities, several of which related to new security features intended to protect IE users from downloading possibly malicious files.

Microsoft reacted to the news of more gaffes in IE with a variation of its usual comment. "We are aggressively investigating the public reports [and] will take the appropriate action to further protect customers..depending on customer needs," a spokesperson wrote in an e-mail to TechWeb. "We have not been made aware of any active attacks against the reported vulnerabilities at this time," the spokesperson added.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Tech Vendors to Watch in 2019
Susan Fogarty, Editor in Chief,  11/13/2018
Commentary
Getting DevOps Wrong: Top 5 Mistakes Organizations Make
Bill Kleyman, Writer/Blogger/Speaker,  11/2/2018
Commentary
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Register for InformationWeek Newsletters
Video
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll