Microsoft to update IE after bugs found

Robert McMillan   Today’s Top Stories   or  Other Security Stories  

HP StorageWorks EVA4400 & Oracle HP StorageWorks EVA4400 & VMWare Take Control! Managing Your Application Library Best Practices: Migrate from Lotus Notes to Microsoft Exchange & SharePoint The Trend from Unix to Linux in SAP Data Centers Go Green with Webroot® Perimeter Security SaaS! SaaS Solutions for Remote Systems Management Virtual Reality SaaS Solutions for Remote Systems Management Sign up to receive Software Resource Alerts

March 21, 2006 (IDG News Service) -- Microsoft Corp. is readying an update to Internet Explorer following the recent discovery of two unpatched IE vulnerabilities, including one bug that could allow attackers to seize control of a victim's PC.

"We're working on an update to Internet Explorer, and that update is currently in our testing process and could come out as early as April," said Stephen Toulouse, a security program manager at Microsoft's security response center. "However, there's no firm date."

The most significant of the two vulnerabilities was discovered earlier this month by Web developer Jeffrey van der Stad. He claims to have uncovered a way for attackers to trick IE into executing HTML application (HTA) files without the user's permission. HTA is a Microsoft-created format that is used to create HTML-based applications.

Victims could have their systems compromised by visiting a Web site that contains the malicious code, van der Stad said. "With a specially designed Web site, it is possible to execute such a file without any prompt," he said.

Van der Stad hasn't published technical details of his bug, but Microsoft has been able to reproduce the problem and is hoping to have it patched in its next IE release, he said.

A bug that let attackers launch unauthorized HTML applications could be exploited to seize control of a Windows system, according to Russ Cooper, a senior information security analyst at Cybertrust Inc. "Just think of it as an executable," he said.

Still, Cooper believes that because of the difficulties involved in first tricking users into visiting a malicious Web site, it is unlikely that this bug will ever be exploited in a widespread fashion. "You need a Web site, and it needs to stay up or you have to keep changing it, which means changing the [malicious link] to it you sent everyone," he said.

Toulouse wouldn't comment on whether Microsoft considered the bug to be severe, saying that this information would "put customers at risk by providing attackers [with] information before the update is available."

He also didn't say whether he expects this problem to be patched during the company's next group of security updates, scheduled for April 11.

However, Microsoft has confirmed that it is investigating a separate IE vulnerability that could cause the browser to crash. Code that takes advantage of this vulnerability has already been published on the Internet. But because the bug doesn't appear to cause anything worse than a browser crash, it is not considered critical, according to security vendors.

Microsoft has confirmed that this bug can crash IE, the company said in a note published today.

Van der Stad's comments on the bug he discovered, which he calls Grasshopper, can be found online.

Reprinted with permission from

IDG.net
Story copyright 2008 International Data Group. All rights reserved.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Need help sorting through the hype of cloud computing? Here's some IDC research on the benefits, barriers -- and what..." Read more... Read more Security posts or See all Blogs

Update: AMD spins off manufacturing to cut costs, raise funds IBM launches Bluehouse, a Facebook for business iPhone grabs top smart phone spot More top stories...

Microsoft's (un)secret weapon for winning the BI battle Microsoft scales out SQL Server 2008, wants to 'democratize BI' Oracle tries to step up on high-end databases

Health hazards for IT workers -- how that desk job wears your body down Too much junk food, too little exercise and a 24/7 tether to technology? Your body ain't happy, friend. Let us count the pains. NASA robot sends back evidence it's snowing on Mars Instruments on the surface of Mars have detected falling snow that is likely evaporating before it reaches the planet. Wall Street's collapse may be computer science's gain One positive development stemming from the collapse of Wall Street may be a boost in interest in computer science and IT careers among students who were previously interested in financial services jobs. Installing Linux apps: A few good tips Getting new software installed on Linux doesn't have to be hard, but it can differ depending on what you're installing. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland Security Apple's iPhone Ask a Premier 100 IT Leader Bill Gates steps down BlackBerry Legal Battle Data Security Breaches Electronic Voting Firefox H-1B Visas HP's Boardroom Scandal Handheld Devices Hurricane Katrina Aftermath Microsoft Legal Issues Microsoft's Vista Open Source RFID Technology SCO's Linux Fight Sarbanes-Oxley Act Spam Voice Over IP Wi-Fi Windows Meta File Vulnerability Windows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class 2006 Computerworld Horizon Awards 2006 Premier 100 IT Leaders 2006 Salary Survey 2007 Best Places to Work in IT 2007 IT Forecast 2007 Premier 100 IT Leaders 40 Years of Computerworld ASPs, Take Two Best Places to Work in IT 2003 Best Places to Work in IT 2004 Best Places to Work in IT 2005 Best Places to Work in IT 2006 Business Intelligence Home Runs Business Intelligence: Smarter BI Business Intelligence: The Future of BI CRM Goes Vertical CRM: Sober CRM Career Planning Guide 2005 Careers: IT Profession 2010 Computerworld Horizon Awards 2005 Data Management: Mining for Gems Data Management: Taming Data Chaos Development: Hard-Workin' Web Sites Development: New Tools New Choices Development: The New World of Application Development Development: The Web Services Tsunami Development: Web Services Hurdles Disaster Recovery: Preparing for the Worst E-commerce Grows Up E-mail/Groupware: Big Decisions Faces of Mobile IT Forecast 2006 Global Mobile Hardware: Multiple Cores, Multiple Challenges Hardware: On-Demand Un-Hyped Hardware: The Shape of Things to Come Horizon Awards: 10 Cool Cutting Edge Technologies IT Management: Guide to Managing Vendors IT Management: Navigating Global IT IT Management: Recovery Ahead IT Management: The Future of IT IT Management: The Resourceful Project Manager Innovative Technology Awards 2004 Management: Reinventing IT Microsoft in Transition Mobile/Wireless Leaders and Laggards Mobile/Wireless: The Untethered Worker Mobile/Wireless: Tiny Gadgets, Huge Costs Network Management: Taking Control Networking: Turbulence Ahead! Networking: VoIP Goes Mainstream Operating Systems: In the Slow Lane Operating Systems: Linux Goes Global Operating Systems: Should You Nix Unix? Outsourcing: Offshore Buyer's Guide Outsourcing: Outsourcing Dangers Premier 100 IT Leaders 2004 Best in Class Premier 100 IT Leaders 2005 Best in Class ROI: Do the Math! Salary Survey 2003 Salary Survey 2004 Salary Survey 2005 Security Action Plan Security: Compliance Headaches Security: Proactive Security Security: Risk and Reward Security: Tips From Security Pros Souped-up Security Storage: Battling Complexity Storage: Cheap & Secure Data Stores Storage: Stretching Your Storage Dollars Storage: The Lean Storage Machine Storage: The New Rules of Storage Storage: The Ultimate Backup Guide Supply Chain: Missing Links Supply Chain: RFID Reality Check The Business of Security Web 2.0 Security Wireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone Windows Protection Zone The Enterprise Search Zone Software as a Service Zone See your link here

SaaS Solutions for Remote Systems Management Download this Technology Briefing, free, compliments of Dell. (Source: Dell) The benefits of Software as a Service (SaaS) are extending their reach into systems management. So in addition to the more obvious cost control and rapid application deployment benefits, SaaS can be instrumental in filling needs for compliance, security and business continuity - all the while reducing costly infrastructure. Learn more in this brand new Technology Briefing. Download this executive briefing  From Laggard to Leader: Transforming the Data Center From Laggard to Leader: Transforming the Data Center Register for this complimentary webcast today! Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Putting the Right Model in Place to Better Balance IT Supply and Business Demand Six Project Metrics Every CIO Should Know for Application Delivery Success Project Portfolio Management - Boost the value of IT View more whitepapers

• Update: AMD spins off manufacturing to cut costs, raise funds
• Microsoft's (un)secret weapon for winning the BI battle
• IBM launches Bluehouse, a Facebook for business
• More top stories 

Brought to you by Computerworld and InfoWorld, this virtual conference focuses on key areas such as: Service-oriented architecture (SOA) The event-driven enterprise Software-as-a-service (SaaS) Business architecture Plus many more tools to build, implement and maintain an agile architecture for the enterprise. This new and exciting event is available on demand October 1, 2008 through January 1, 2009. Visit the show floor now

"Turning information into a Competitive Advantage" Companies today are realizing that competitive advantage is harder to sustain when based solely on gains in productivity and cost efficiency. The focus is shifting to invest more in business optimization initiatives which rely on trusted information to develop new insights that deliver better business results. But how can this be done efficiently in a business environment across multiple applications and processes. The answer is an Information Agenda - an innovative approach to transforming business information into a strategic asset for competitive advantage. View this webcast now!  See more Webcasts

Best Places to Work in IT Where can you earn top dollar, get the best benefits, the latest IT and more? Find out in our 14th annual survey.