Microsoft is looking into a pair of new security holes in Internet Explorer (IE) that attackers could use to cause a denial of service or launch malicious code. Proof-of-concept exploit code has been written for one of the flaws.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
One issue was discovered by vulnerability researcher Jeffrey van der Stad. In a posting on his Web site, he said the software giant had run its own tests and confirmed the flaw. He quoted a Microsoft security team member as saying, "We have been trying to get this fix into the next IE release, but it's been a lot of work to do that, as it's relatively late in the cycle. It looks like it will make it in, though."
The company's next scheduled patch release is April 11.
Cupertino, Calif.-based AV giant Symantec Corp. also looked at Van der Stad's findings and e-mailed an analysis to customers of its DeepSight Threat Management System. While few details were available, Symantec said the problem seems to revolve around HTA files, which are HTML applications that are given higher levels of trust and access to a local system than remote Web pages typically receive.
"A successful attack may allow remote attackers to execute HTA applications in the context of targeted users," Symantec said. "This may allow remote code execution and facilitate the compromise of affected computers."
Symantec outlined the following attack scenario:
- An attacker creates a malicious Web page designed to exploit this issue. The Web site contains a malicious HTA file.
- The attacker distributes links to the Web site, or distributes the malicious content through HTML e-mail messages to targeted users.
- The unsuspecting user visits the malicious Web site, or opens the malicious e-mail message, and the attacker-supplied HTA file is executed.
The problem affects Internet Explorer 6.0 running on Microsoft Windows 98, XP and Windows Server 2003. Symantec also noted that Van der Stad has developed proof-of-concept code for the flaw. To mitigate the threat, Symantec recommended users:
- Run all software as a non-privileged user with minimal access rights.
- Run the client browser as a user with the minimal amount of privileges required for functionality. This will reduce the potential negative affects of this and other latent vulnerabilities.
- Do not follow links provided by unknown or untrusted sources.
- Refrain from visiting sites of questionable integrity and following links that originate from unknown or untrusted users.
- Set Web browser security to disable the execution of script code or active content.
- As an extra precaution, disable support for active scripting in the browser. This may prevent a successful attack if this issue depends on active scripting for exploitation.
Meanwhile, the second flaw was discovered by researcher Michal Zalewski, who posted an analysis on the BugTraq forum.
In its advisory, Danish vulnerability clearinghouse Secunia said attackers could exploit the flaw to cause a denial of service.
"The vulnerability is caused due to an array boundary error in the handling of HTML tags with multiple event handlers," Secunia said. "This can be exploited to crash a vulnerable browser via a HTML tag with 94 or more event handlers. The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2."
Secunia recommended users mitigate the threat by staying away from untrusted Web sites.
A Microsoft spokesman said Tuesday that the vendor is looking into the reported flaws and that it is not currently aware of any attacks attempting to use the reported vulnerability.
He said that upon completion of the investigation, "Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
This article originally appeared on SearchSecurity.com.