New IE security issue exposed in Windows XP
By Hani Megerisi
Posted on 1 Mar 2010 at 10:30
A new security issue in Internet Explorer has been exposed by a Polish technical research group.
The unpatched bug exists in VBScript and allows hackers to plant malware on machines running Windows' XP and the IE browser.
Hackers could exploit the help files in Internet Explorer, leading to “remote code execution,” said Maurycy Prodeus, a security analyst with Polish group iSEC Security Research, who found and logged the problem last Friday.
The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’
Prodeus added that “some user interaction is needed” to trigger the vulnerability. “Victim[s] have to press F1 when [a] Message Box popup is displayed”.
Microsoft admits it's got a problem. “An issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box,” responded Microsoft’s senior Security Communications Manager Jerry Bryant on Microsoft’s security blog.
“The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.”
He added that, as of yet, the issue has not arisen on any other Microsoft OS.
IE has come under mass scrutiny over the past few months, after attacks on companies such as Google and Adobe revealed a security flaw in IE6 that could be exploited by hackers.
From around the web
Can someone explain this line to me 'after attacks on companies such as Google and Adobe revealed a security flaw in IE6'
I'm confused how IE6 is linked to Google getting attacked. Google Inc. doesn't use IE6. Help me understand
By TimoGunt on 1 Mar 2010 
What do you mean google doesn't use IE? You think one of the biggest web companies wouldn't test in IE?
By magicmonkey3 on 1 Mar 2010
yep fair play, I'm an idiot, although I just find it weird that they got attacked through IE
By TimoGunt on 1 Mar 2010
Test what? surly any testing would be upon their own content. Why would they be testing and downloading material from others?
By chapelgarth on 1 Mar 2010
Can someone explain...
why an Apple Mac would be affected by this? Or did somebody not check the photograph before it was released? ;-)
By big_D on 1 Mar 2010
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk