RealTime IT News

Secunia Upgrades IE Flaw

Denmark-based security firm Secunia has upgraded a warning issued last year regarding a known vulnerability for computer users running Windows XP Service Pack 2 and Internet Explorer (IE) 6.0 from "highly" to "extremely" critical, according to an advisory published Friday.

It's an update to an advisory first issued Oct. 20, 2004, which found the combined use of an HTML Help control flaw and a drag-and-drop vulnerability bypassed the "Local Computer" zone lockdown security feature in XP SP2.

The vulnerability affects Web surfers who visit a Web site where an attacker has manipulated the site to use the ActiveX Data Object (ADO) model to write arbitrary files onto the user's computer without the person's knowledge.

Microsoft had already released a patch for the drag-and-drop vulnerability, but officials were assessing the combo vulnerability's impact before deciding whether to issue a patch. At the time, officials said installing the patch and disabling the "drag and drop or copy and paste files" option would be enough to prevent the vulnerability.

Microsoft officials said the Secunia advisory doesn't bring anything new to the table.

"This new report describes an exploit that takes advantage of two previously reported vulnerabilities in Internet Explorer," a statement by Microsoft reads. "Microsoft is currently working on an update to address these vulnerabilities. Customers who have followed our Safe Browsing guidance and have set their Internet Security zone settings to 'high' are not impacted by this vulnerability. Enterprise administrators who have restricted access to the 'startup' folder on their network client computers are at a reduced risk from this vulnerability."

Secunia also learned about a second HTML Help control flaw, a variant of the first control flaw that creates a security site/zone restriction error in the handling of the "Related Topics" command. Officials originally believed the control flaw only worked in conjunction with the drag-and-drop flaw, but have now found it can be used to facilitate an exploit on its own. Attacks against this vulnerability are now much easier to perpetrate, said Thomas Kristensen, Secunia CTO.

"So there is definitely a very good reason to take this very seriously and consider what actions you want to take against this vulnerability," he said. "I think this is the worst vulnerability we have seen in Internet Explorer on Windows XP, XP [SP] 2 so far, so that alone makes it more interesting, unfortunately."

Kristensen said the advisory was specific to Windows XP users with SP 2, but believes earlier versions of the software may be affected, as well.

Secunia officials recommend users switch to another type of browser until Microsoft comes up with a fix. Alternatively, they suggest users follow Microsoft's advice and disable the "drag and drop or copy and paste files" feature in IE and set the security level to "high."

Secunia also posted a test application for Windows XP SP 2 and IE 6.0 users to determine whether their systems are vulnerable.