IDG News Service - Microsoft Corp. raised the risk rating on a security flaw in Internet Explorer (IE) to "critical" after criticism prompted the company to re-examine the issue.
Last week, Microsoft issued a patch to fix a flaw in IE 5.5 and IE 6.0 that it said posed only a "moderate" risk to users. Security experts, however, said the issue should be rated critical because it could be exploited to take over a user's machine.
Microsoft reinvestigated the issue and discovered a new exploit scenario that indeed allows an attacker to gain control over a vulnerable system, Steve Lipner, director of security assurance at Microsoft, said in an e-mail response to questions.
"The newly-discovered exploit scenario ... could allow a malicious user to run code on a user's computer via a specially-crafted Web site or e-mail message, thus warranting a severity rating of critical," Lipner said. Microsoft said Friday it had revised its security bulletin MS02-068.
The flaw lies in a feature meant to set up security boundaries between Web browser windows and the local system. This "external object caching" vulnerability was first made public in late October by Israeli security company GreyMagic Software.
An attacker could exploit the flaw by luring a user to a specially coded Web page or by sending that page via HTML e-mail, Microsoft said. The company urged users to apply the patch, part of a superpatch that includes all previous IE 5.5 and IE 6.0 fixes, as soon as possible.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
