RealTime IT News

Six More IE Holes Patched

For the second time this year, Microsoft has issued a cumulative patch for six new security vulnerabilities in its flagship Internet Explorer browser product, the most serious of which allows an attacker to execute commands on a user's system.

On the heels of Microsoft's 'mother of all patches' issued for IE flaws back in May, the software giant warned that IE versions 5.01, 5.5 and 6.0 contain several newly-discovered vulnerabilities and pinned an "important" rating on the latest cumulative patch.

The advisor y contained a fix for a flaw in the way IE check the components that the OBJECT tag calls. This bug lets intruders obtain the name of the Temporary Internet Files folder on the user's local machine. "The vulnerability would not allow an attacker to read or modify any files on the user's local system, since the Temporary Internet Files folder resides in the Internet security zone."

"Knowledge of the name of the Temporary Internet Files folder could allow an attacker to identify the username of the logged-on user and read other information in the Temporary Internet Files folder such as cookies," it added.

The latest patch (download here), includes the functionality of all previously-released IE fixes and seeks to eliminate a buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened.

While this bug could only be used to crash the IE browser, Microsoft warned that a number of other products -- notably, most Microsoft Office products and Microsoft Index Server -- rely on IE to render PNG files, and an exploit of this flaw would cause those to fail as well.

The company also found an information disclosure vulnerability related to the way that IE handles encoded characters in a URL, warning that this bug could allow an attacker to craft a URL containing some encoded characters that would redirect a user to a second web site. "If a user followed the URL, the attacker would be able to piggy-back the user's access to the second website. This could allow the attacker to access any information the user shared with the second web site," it warned.

Microsoft said three of the new vulnerabilities result because of incomplete security checks being carried out when using particular programming techniques in web pages, and would have the effect of allowing one website to access information in another domain, including the user's local system.

This security hole could let a web site operator read, but not change, any file on the user's local computer that could be viewed in a browser window. In addition, this could also enable an attacker to invoke an executable that was already present on the local system, Microsoft warned.

The cumulative patch also sets the Kill Bit on a legacy DirectX ActiveX control which has been retired but which has a security vulnerability.

It has been a busy week of plugging security holes at the Redmond-based firm. On Wednesday, Microsoft warned of a "critical" flaw found in Data Access Components (MDAC) used to provide database connectivity on Windows platforms, warning that the vulnerability could lead to code execution by an attacker.

So far this year, Microsoft has issued 66 security alerts, six more than all of 2001.