[ISN] Microsoft upgrades IE flaw to critical after criticism

From: InfoSec News (isnat_private)
Date: Tue Dec 10 2002 - 01:02:51 PST

  • Next message: InfoSec News: "[ISN] Guam typhoon tests IT readiness, disaster recovery"

    By Joris Evers
    IDG News Service
    Microsoft raised the risk rating on a security flaw in Internet
    Explorer (IE) to "critical" after criticism prompted it to reexamine
    the issue, the company said Friday.
    Earlier last week, Microsoft issued a patch to fix a flaw in IE 5.5
    and IE 6.0 that it said only posed a "moderate" risk to users.  
    Security experts, however, said the issue should be rated critical as
    it could be exploited to take over a user's machine.
    Microsoft reinvestigated the issue and discovered a new exploit
    scenario that indeed allows an attacker to gain control over a
    vulnerable system, Steve Lipner, director of security assurance for
    Microsoft said in an e-mail response to questions.
    "The newly discovered exploit scenario… could allow a malicious user
    to run code on a user's computer via a specially crafted Web site or
    e-mail message, thus warranting a severity rating of critical," Lipner
    said. Microsoft has revised its security bulletin.
    The flaw lies in a feature meant to set up security boundaries between
    Web browser windows and the local system. This "external object
    caching" vulnerability was first made public in late October by
    Israeli security company GreyMagic Software.
    An attacker could exploit the flaw by luring a user to a specially
    coded Web page or sending that page via HTML e-mail, Microsoft said.  
    The company urges users to apply the patch, part of a super patch that
    includes all previous IE 5.5 and IE 6.0 fixes, as soon as possible.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 10 2002 - 03:41:04 PST