RealTime IT News

Scripting Vulnerability Detected in MS IE and Outlook Express

Surprise... another security flaw has popped-up on Microsoft Corp.'s Internet Explorer 5.x and Outlook Express E-mail service.

This time, even when Active Scripting is disabled it continues to execute -- allowing would-be hackers to use HTML-formatted messages to read files on a user's machine.

In an advisory put out today, by Georgi Guninski, a well-known Bulgarian bug hunter among software trackers, read:

"It is possible to execute Active Scripting with the help of XML and XSL even if Active Scripting is disabled in all security zones. This is especially dangerous in email messages. Though this is not typical exploit itself, it may be used in other exploits especially in email."

In his advisory Guninski said Microsoft was notified of the problem on April 18, 2001.

Guninski has rated the bug's risk as "high," and recommends users shut-down the security breech by disabling Active Scripting, a browser setting that offers beefed-up functionality.

Microsoft was exploring the advisory and was unavailable for comment by press time.

In an E-mail received mid-day, the company said a fix is available in its Security Bulletin MS01-015 and is listed under the "Windows Script Host" vulnerability section of the bulletin.

With vulnerability reports concerning Explorer and Outlook on the rise, the software giant would do well to switch to permanent maintenance mode before it hooks up to other systems across its .Net platform.