http://news.com.com/More+security+hiccups+for+IE/2100-1002_3-5457105.html By Robert Lemos Staff Writer, CNET News.com November 17, 2004 Microsoft's Internet Explorer has become a turkey shoot for flaw finders. This week, three more vulnerabilities were found in version 6 of the software giant's flagship Web browser, security information provider Secunia said on Wednesday. That brings the total number of IE vulnerabilities disclosed in the past two months to 19, including eight flaws fixed by Microsoft during its October patch cycle. The latest flaws were found by two different researchers, Secunia said. Two could be used together to allow malicious content to bypass an mechanism in Microsoft Windows XP Service Pack 2 that alerts people about potentially harmful programs, Secunia stated. The third vulnerability could be used to overwrite the cookies of a trusted site to hijack a Web session, if the site handles authentication in an insecure manner, according to that advisory. The flaws were rated "moderately critical" and "not critical," respectively, by Secunia. "We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," Microsoft said in a statement sent to CNET News.com. The company said that customers who needed advice should visit its software security site and its PC Protect site for home users. Microsoft also criticized the researchers for publicizing the flaws without allowing it to work to solve the problems first. "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests." Security researchers and hackers, however, are not paying heed to the software giant's standard chastisement of public disclosure. In the past two months, flaw finders have publicized critical Internet Explorer vulnerabilities and a slew of security issues in Service Pack 2, the company's latest update to Windows XP. Already, viruses have started to use the critical Internet Explorer flaw to spread. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Nov 18 2004 - 04:26:54 PST