New IE security issue exposed in Windows XP
By Hani Megerisi
Posted on 1 Mar 2010 at 10:30
A new security issue in Internet Explorer has been exposed by a Polish technical research group.
The unpatched bug exists in VBScript and allows hackers to plant malware on machines running Windows' XP and the IE browser.
Hackers could exploit the help files in Internet Explorer, leading to “remote code execution,” said Maurycy Prodeus, a security analyst with Polish group iSEC Security Research, who found and logged the problem last Friday.
The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’
Prodeus added that “some user interaction is needed” to trigger the vulnerability. “Victim[s] have to press F1 when [a] Message Box popup is displayed”.
Microsoft admits it's got a problem. “An issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box,” responded Microsoft’s senior Security Communications Manager Jerry Bryant on Microsoft’s security blog.
“The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.”
He added that, as of yet, the issue has not arisen on any other Microsoft OS.
IE has come under mass scrutiny over the past few months, after attacks on companies such as Google and Adobe revealed a security flaw in IE6 that could be exploited by hackers.
From around the web
Can someone explain this line to me 'after attacks on companies such as Google and Adobe revealed a security flaw in IE6'
I'm confused how IE6 is linked to Google getting attacked. Google Inc. doesn't use IE6. Help me understand
By TimoGunt on 1 Mar 2010 
What do you mean google doesn't use IE? You think one of the biggest web companies wouldn't test in IE?
By magicmonkey3 on 1 Mar 2010
yep fair play, I'm an idiot, although I just find it weird that they got attacked through IE
By TimoGunt on 1 Mar 2010
Test what? surly any testing would be upon their own content. Why would they be testing and downloading material from others?
By chapelgarth on 1 Mar 2010
Can someone explain...
why an Apple Mac would be affected by this? Or did somebody not check the photograph before it was released? ;-)
By big_D on 1 Mar 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
