Microsoft Introduces New IE, Outlook Fixes
Microsoft
The IE flaw exists in the software's cross-domain security model because the
security checks that IE carries out when particular object caching
techniques are used in Web pages are incomplete. This could allow a Web site
in one domain access to information in another, including the user's PC.
The flaw enables perpetrators to read any file of users who employ IE
versions 5.5 and 6.0 on their computers. The attacker could also invoke an
executable that was already present on the local system. However, this is
not as easy as it seems: the attacker would need to know the location of the
command, and would not be able to pass parameters to it.
One major relief point is that attackers may not modify, add or delete files
and on user's machine.
As for the Outlook flaw, Microsoft said it is an e-mail header processing
bug, which could cause a denial-of-service
The e-mail message could be deleted by an e-mail administrator, or by the
user via another e-mail client such as Outlook Web Access or Outlook
Express, after which point the Outlook 2002 client would again function
normally. The vulnerability is considered moderate because it could not be
used to read, delete, create or alter the user's e-mail. Outlook 2002
clients using POP3, IMAP, or WebDAV protocols are vulnerable, but a patch to
correct this flaw exists here.
Microsoft's new bulletins come a few
weeks after the company pledged to chnage its security posting protocol
to make the warnings less technical.
late
Wednesday introduced two new security patches which seal moderate flaws in
versions 5.5. and 6.0 of its Internet Explorer browser and Outlook 2002.