For the second time this year, Microsoft has issued a
cumulative patch for six new security vulnerabilities in its flagship
Internet Explorer browser product, the most serious of which allows an
attacker to execute commands on a user’s system.
On the heels of Microsoft’s ‘mother of
all patches’ issued for IE flaws back in May, the software giant warned
that IE versions 5.01, 5.5 and 6.0 contain several newly-discovered
vulnerabilities and pinned an “important” rating on the latest cumulative
patch.
The advisor
y contained a fix for a flaw in the way IE check the components that the
OBJECT tag calls. This bug lets intruders obtain the name of the Temporary
Internet Files folder on the user’s local machine. “The vulnerability would
not allow an attacker to read or modify any files on the user’s local
system, since the Temporary Internet Files folder resides in the Internet
security zone.”
“Knowledge of the name of the Temporary Internet Files folder could allow an
attacker to identify the username of the logged-on user and read other
information in the Temporary Internet Files folder such as cookies,” it
added.
The latest patch (download here), includes the functionality of all
previously-released IE fixes and seeks to eliminate a buffer overrun
vulnerability that occurs because Internet Explorer does not correctly check
the parameters of a PNG graphics file when it is opened.
While this bug could only be used to crash the IE browser, Microsoft warned
that a number of other products — notably, most Microsoft Office products
and Microsoft Index Server — rely on IE to render PNG files, and an exploit
of this flaw would cause those to fail as well.
The company also found an information disclosure vulnerability related to
the way that IE handles encoded characters in a URL, warning that this bug
could allow an attacker to craft a URL containing some encoded characters
that would redirect a user to a second web site. “If a user followed the
URL, the attacker would be able to piggy-back the user’s access to the
second website. This could allow the attacker to access any information the
user shared with the second web site,” it warned.
Microsoft said three of the new vulnerabilities result because of incomplete
security checks being carried out when using particular programming
techniques in web pages, and would have the effect of allowing one website
to access information in another domain, including the user’s local system.
This security hole could let a web site operator read, but not change, any
file on the user’s local computer that could be viewed in a browser window.
In addition, this could also enable an attacker to invoke an executable that
was already present on the local system, Microsoft warned.
The cumulative patch also sets the Kill Bit on a legacy DirectX ActiveX
control which has been retired but which has a security vulnerability.
It has been a busy week of plugging security holes at the Redmond-based
firm. On Wednesday, Microsoft warned
of a “critical” flaw found in Data Access Components (MDAC) used to provide
database connectivity on Windows platforms, warning that the vulnerability
could lead to code execution by an attacker.
So far this year, Microsoft has issued 66 security alerts, six more than all
of 2001.