Zero-Day Exploit Targets IE Flaws Two 'Extremely Critical' Vulnerabilities Discovered Ryan Naraine
Microsoft is mulling a plan to go outside of its monthly patching cycle to release a fix for two "extremely critical" vulnerabilities in its flagship Internet Explorer (IE) web browser.
A Microsoft spokesman reports the company has been investigating public details of a malicious attack exploiting the IE flaws. "Microsoft is actively
investigating these reports, to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
According to research firm Secunia, the holes can be exploited to open files on the local computer or to bypass IE security zones and execute malicious software in an Internet Zone with less restrictions.
Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0, but machines running beta versions of Windows XP Service Pack 2 are protected.
News of the latest IE flaws has prompted heated discussions on security mailing lists and bulletin boards after a researcher released details of "zero-day exploits" loading adware programs and browser toolbars on vulnerable machines.
The use of adware has sparked controversy in some quarters because many view them as a form of spyware that collects information about the user in order to display advertisements in the web browser based on the information it collects from the user's browsing patterns. Adware typically embeds advertisements into software programs, but because it is typically bundled as a hidden component of programs, user interaction is not necessary to load them.
In this instance, Microsoft warned that it was a "criminal offense" to intentionally use exploit code to cause damage. "[We will] work aggressively with law enforcement to help prosecute individuals or organizations who engage in these activities," the spokesman warns.
As a temporary workaround, the company recommends that enterprise customers increase the security of the Local Machine Zone in Internet Explorer.
Secunia said a successful exploitation requires that a user be tricked into following a link or viewing a malicious HTML document. IE users can disable Active Scripting support as a protection mechanism.
