- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
Microsoft late Wednesday issued a patch to fix a flaw in Internet Explorer (IE) that it says poses only a "moderate" risk to users. Security experts, however, say the vulnerability is serious and could be exploited to take over a user's machine.
The flaw affects IE 5.5 and IE 6.0 and lies in a feature meant to set up security boundaries between Web browser windows and the local system. Exploiting it could enable an attacker to read information on a user's computer and invoke programs already on the PC, according to a Microsoft security bulletin.
"This is an extensive downplaying of the severity," says Thor Larholm, a Copenhagen-based security researcher with PivX Solutions. "An attacker can in fact take any action on a system a local user could, including modifying files, formatting the hard drive and uploading applications."
This "external object caching" vulnerability was first made public in late October by Israeli security company GreyMagic Software, together with a score of other IE flaws.
An attacker could exploit the flaw by luring a user to an especially coded Web page or sending that page via HTML e-mail, Microsoft said. The Redmond, Wash., company advises users to consider applying the patch, part of a super patch that includes all previous IE 5.5 and IE 6.0 fixes.
Larholm, who has close ties to GreyMagic, warns that an exploit for the external object caching flaw will likely be out soon, since the flaw was first made public in October. He urges users to patch up as soon as possible. Another 18 publicly known but unpatched vulnerabilities remain in IE, of which six are serious, Larholm said.
Microsoft last month changed the way it rates security issues because customers complained they could not identify the most serious vulnerabilities, the company has said.
Under the new system, fewer bulletins get the "critical" stamp. The only vulnerabilities now rated critical are those that could be exploited to allow malicious Internet worms to spread without user action. Many issues that were previously rated critical are now "important," a new category in the rating system. Important vulnerabilities could expose user data or threaten system resources.
Rated "moderate" are vulnerabilities that are difficult to exploit because of default configuration, auditing, or just plain difficulty of exploitation, according to Microsoft's rating scheme.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment