Feeds

Lookout for Internet Explorer bugs

A bad week in the office for MS security

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

It's been a bad week for Internet Explorer users as the second potential devastating vulnerability in as many days has been discovered by security researchers.

Flaws in the way IE renders binary attachments in HTML email could be used to trick users into running malicious code on their machines, Microsoft has admitted.

The problem, which affects IE 5.5 and 5.01, stems from the way the browser processes certain unusual MIME types, which it handles incorrectly.

If an attacker created a HTML email containing an executable attachment, then modified the MIME header to indicate a type that IE handles incorrectly then the attachment would be launched automatically.

The vulnerability, which was discovered by Juan Carlos Cuartango, could be exploited through either coaxing a victim into browsing a maliciously-constructed Web site or via the opening of an infected HTML email.

In a security notice on the subject, Microsoft admitted: "This vulnerability could enable an attacker to potentially run a program of her choice on the machine of another user. Such a program would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with web sites, or reformatting the hard drive."

Microsoft has issued a patch to address the problem, which is available here.

Earlier this week another potentially nasty IE flaw was suggested by veteran bug hunter Georgi Guninski.

In an advisory, Guninski said that the way Microsoft's Internet Explorer (IE), Internet Information Server (IIS) and Exchange 2000 work together can be exploited to obtain access to either server directories or email.

The issue is quite complex and concerns the way the scripting interface for accessing and manipulating object on IIS 5.0 or web storage (a feature of Exchange 2000) works.

Microsoft are looking into the issue and are reportedly not pleased with Guninski's early disclosure of a possible bug. In an email to Guninski, the software giant suggested any possible flaw could be effectively guarded against by using the trusted zones feature in its software.

Richard Stagg, a security consultant at Information Risk Management, said Guninski appeared to have hit on a live issue but he added that the more important factor was whether a packaged exploit would emerge, and that remained unknown. ®

Related Stories

MS gets hacked off with bug hunter
Warning issued over Windows Media Player 7 bug

Internet Security Threat Report 2014

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.