2 min read

More Vulnerabilities For Internet Explorer

This time, hackers have posted exploits that can insert malicious code onto systems running Microsoft's Web browser.
Internet Explorer users are again potentially at risk, this time from hackers who have posted exploits that have the ability to insert malicious code onto systems running Microsoft's Web browser.

According to Alfred Huger, an analyst with Symantec Corp.'s security response team, several new vulnerabilities within Internet Explorer 5.5 and 6.0 have been spotted this week on security mailing lists.

Among them is one for which exploit code has been seen in the wild. Hackers who can entice users to specially crafted Web sites--which contain Visual Basic scripts that point to an executable file embedded as a string array in the page--can gain control of the system, and if they want, drop code of their own onto the machine. Typically such code is in the form of a Trojan horse, which lets the hacker later launch additional attacks on other machines.

"These are fairly serious vulnerabilities," Huger said. "Many already have exploits available, and for those that don't, creating them is relatively trivial."

While Microsoft has previously issued patches for other Internet Explorer vulnerabilities, those that Symantec cited haven't been fixed by the vendor. Such threats, dubbed "zero-day" exploits, are considered the most dangerous by security analysts because fixes that stymie the attack aren't available.

Huger's advice is to ratchet up the security of Internet Explorer by disabling such features as Java and active scripting, and forbidding ActiveX controls from running when the browser encounters them at a Web site. But, he admitted, "That makes your browser pretty cumbersome to use."