A Chinese security researcher has warned of five serious vulnerabilities in Microsoft’s
Internet Explorer browser, warning that a successful exploit could lead to system takeover.
Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.
Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.
Independent security consultant Secunia has rated the flaws ‘Extremely Critical’ and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.
The flaws related to a redirection feature in the browser using the “mhtml:” URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the “Internet” zone from parsing local files.
Yu said the redirection feature could also be exploited to download and execute a malicious file on a user’s system. Successful exploitation requires that script code can be executed in the “MyComputer” zone, he explained.
The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.
A variant of a previously fixed flaw can still be exploited to hijack a user’s clicks and perform certain actions without the user’s knowledge, the researcher explained.
Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.
Microsoft late Wednesday confirmed it was investigating Lu’s warnings. “We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports,” said Stephen Toulouse, Security Program Manager, Microsoft Security Response Center.
Toulouse told internetnews.com Microsoft would take the “appropriate action to protect our customers” and hinted that a fix could come via an out-of-cycle patch, depending on the seriousness of its findings.
He said Microsoft was concerned that Lu’s warnings were not disclosed responsibly, potentially putting computer users at risk. “We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed,” Toulouse declared.
In the interim, Toulouse is recommending that IE users install the cumulative patch issued earlier this month (MS03-048).
Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.
“To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as,” the company explained.