Scripting Vulnerability Detected in MS IE and Outlook Express

Surprise… another security flaw has popped-up on Microsoft Corp.’s
Internet Explorer 5.x and Outlook Express E-mail service.

This time, even when Active Scripting is disabled it continues to execute —
allowing would-be hackers to use HTML-formatted messages to read files on a
user’s machine.

In an advisory put out
today, by Georgi Guninski, a well-known Bulgarian bug hunter among software
trackers, read:

“It is possible to execute Active Scripting with the help of XML and XSL
even if Active Scripting is disabled in all security zones. This is
especially dangerous in email messages. Though this is not typical exploit
itself, it may be used in other exploits especially in email.”

In his advisory Guninski said Microsoft was notified of the problem on April
18, 2001.

Guninski has rated the bug’s risk as “high,” and recommends users shut-down
the security breech by disabling Active Scripting, a browser setting that
offers beefed-up functionality.

Microsoft was exploring the advisory and was unavailable for comment by
press time.

In an E-mail received mid-day, the company said a fix is available in its Security Bulletin MS01-015 and is listed under the “Windows Script Host” vulnerability section of the bulletin.

With vulnerability reports concerning Explorer and Outlook on the rise, the
software giant would do well to switch to permanent maintenance mode before
it hooks up to other systems across its .Net platform.

News Around the Web