Microsoft is mulling a plan to go outside of its monthly patching cycle to release a fix for two “extremely critical” vulnerabilities in its flagship Internet Explorer (IE) Web browser.
A Microsoft spokesman said the company was investigating public details
of a malicious attack exploiting the IE flaws. “Microsoft is actively
investigating these reports, to determine the appropriate course of action
to protect our customers. This might include providing a fix through our
monthly release process or an out-of-cycle security update, depending on
customer needs.”
According to research firm Secunia, the holes can be exploited to open
files on the local computer or to bypass IE security zones and execute
malicious software in an Internet Zone with less
restrictions.
Secunia has confirmed the vulnerabilities in a fully patched system with
Internet Explorer 6.0 but machines running beta versions of Windows XP
Service Pack 2 are protected.
News of the latest IE flaws have prompted heated discussions on security
mailing lists and bulletin boards after a researcher released details of “zero day exploits” loading adware programs and
browser toolbars on vulnerable machines.
The use of adware
quarters because many view them as a form of spyware
collects information about the user in order to display advertisements in
the Web browser based on the information it collects from the user’s
browsing patterns. Adware typically embeds advertisements into software
programs but because it is typically bundled as a hidden component of
programs, user interaction is not necessary to load them.
In this instance, Microsoft warned that it was a “criminal offense” to
intentionally use exploit code to cause damage. “[We will] work
aggressively with law enforcement to help prosecute individuals or
organizations who engage in these activities,” the spokesman said.
As a temporary workaround, the company recommends that enterprise
customers increase the security of the Local Machine Zone in Internet Explorer.
Secunia said a successful exploitation requires that a user can be
tricked into following a link or view a malicious HTML document. IE users can disable Active Scripting support as a protection mechanism.