resource center
  See your link here
|
IDG News Service - Microsoft Corp. is readying an update to Internet Explorer following the recent discovery of two unpatched IE vulnerabilities, including one bug that could allow attackers to seize control of a victim's PC.
"We're working on an update to Internet Explorer, and that update is currently in our testing process and could come out as early as April," said Stephen Toulouse, a security program manager at Microsoft's security response center. "However, there's no firm date."
The most significant of the two vulnerabilities was discovered earlier this month by Web developer Jeffrey van der Stad. He claims to have uncovered a way for attackers to trick IE into executing HTML application (HTA) files without the user's permission. HTA is a Microsoft-created format that is used to create HTML-based applications.
Victims could have their systems compromised by visiting a Web site that contains the malicious code, van der Stad said. "With a specially designed Web site, it is possible to execute such a file without any prompt," he said.
Van der Stad hasn't published technical details of his bug, but Microsoft has been able to reproduce the problem and is hoping to have it patched in its next IE release, he said.
A bug that let attackers launch unauthorized HTML applications could be exploited to seize control of a Windows system, according to Russ Cooper, a senior information security analyst at Cybertrust Inc. "Just think of it as an executable," he said.
Still, Cooper believes that because of the difficulties involved in first tricking users into visiting a malicious Web site, it is unlikely that this bug will ever be exploited in a widespread fashion. "You need a Web site, and it needs to stay up or you have to keep changing it, which means changing the [malicious link] to it you sent everyone," he said.
Toulouse wouldn't comment on whether Microsoft considered the bug to be severe, saying that this information would "put customers at risk by providing attackers [with] information before the update is available."
He also didn't say whether he expects this problem to be patched during the company's next group of security updates, scheduled for April 11.
However, Microsoft has confirmed that it is investigating a separate IE vulnerability that could cause the browser to crash. Code that takes advantage of this vulnerability has already been published on the Internet. But because the bug doesn't appear to cause anything worse than a browser crash, it is not considered critical, according to security vendors.
Microsoft has confirmed that this bug can crash IE, the company said in a note published today.
Van der Stad's comments on the bug he discovered, which he calls Grasshopper, can be found online.
IDG.net
The Commercialization of ITIL: Lessons Learned
Register for this event today!
Oracle Accelerate - Not Just Smart but Timely
Download Now!
Key Findings: Accelerating ROI with BPM
Click here to watch now!
Why BI is Ripe - Now! - For Businesses of Any Size
Download Now!
Data Protection is not an insurance policy -you cannot buy-back lost data
Find out why you need to maintain access to critical information to run your business and remain competitive.
Sign up to receive updates on the latest Software resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
