Five new flaws from Microsoft

By Matt Whipp

Posted on 12 Nov 2003 at 11:36

Microsoft has released a security update for Internet Explorer that tackles five new flaws as well as including previous MS patchwork for the browser and email program.

The vulnerabilities receive the aggregate stamp of Critical from Microsoft and affect all supported versions of Windows: from 98 and NT 4.0 to Windows XP and Windows Server 2003, including 64bit versions. Also versions of IE from 5.01 and above are affected.

Older instances of the software may still be affected, but Microsoft no longer supports them.

Three of the flaws relate to IE's security processes that stop one window sharing information with another. If an attacker could persuade a user to view an HTML document - either a Web page or HTML email - that exploited the flaw, they would be able to access files on other Web sites that the user was viewing and also local files in the My Computer zone. They could also run code, but only with the privileges of the user logged on at the time.

A further flaw in the way IE handles Dynamic HTML has also been discovered that could be triggered by getting a user to click a specially-crafted link. Doing so would allow an attacker to save a file (eg a Trojan back-door program) on the user's computer without the user having to accept the download.

The last of the five involves a problem in the way IE deals with an XML object. Exploiting the flaw would mean getting a user to explicitly accept the download of an HTML file, which would allow the attacker to read files from a known location - My Documents, for example.

Users of recent versions of Outlook and Outlook Express may escape attacks based on HTML emails, as the programs limit what code can do.

The patch is available from the Microsoft Website.