February 23, 2004
(Computerworld)
A bug hunter last week claimed to have uncovered a security flaw in Microsoft Corp.'s Internet Explorer 5 Web browser by studying Windows source code that was leaked earlier this month.
The vulnerability allows an attacker to gain control over a user's computer by using a specially crafted bitmap file. When loaded using IE 5, the file will trigger an overflow error and allow the attacker to run arbitrary code on a victim's machine, according to a description of the flaw posted Feb. 15 on the SecurityTracker.-com Web site. The flaw, which was uncovered by reviewing IE source code that was part of a larger Windows code leak, exists in all versions of IE 5 for all Windows versions, according to the description.
Millions of Internet users -- 17% of Internet users worldwide -- have some version of IE 5 installed, according to Web tracking company WebSideStory Inc. in San Diego.
Future Ramifications
Thor Larholm, a senior security researcher at PivX Solutions LLC in Newport Beach, Calif., investigated the report and tested code to exploit the flaw, and he confirmed the vulnerability.
The IE 5 problem highlights the security implications of such code leaks, which a hacker could use to find security holes, Larholm said. "This has definitely proven the potential for critical vulnerabilities," Larholm said.
Microsoft began investigating the vulnerability report on Feb. 16. The company had discovered the security problem internally before and fixed it in IE 6.0, according to officials.
The vendor urged IE 5 users to upgrade to IE 6.0 with Service Pack 1. However, IE 5.01 with Service Pack 2 is still supported, according to Microsoft's product support Web page. The company is working on a patch for this and versions of the Web browser that predate IE 6.0 and is investigating why it didn't fix the flaw in those versions before, a Microsoft spokesman said.
Microsoft confirmed earlier this month that incomplete portions of its closely guarded Windows NT and Windows 2000 source code had been leaked on the Internet.
Analysts and security experts at the time warned that a breach of the Windows source code could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they could exploit.
Evers writes for the IDG News Service.