IE 5.5 bugged in first week

A newly discovered security bug in Microsoft's Internet Explorer browser promises to send the company's engineers back to work on a product released just this week.

A newly discovered security bug in Microsoft's Internet Explorer 5.5 browser promises to send the company's engineers back to work on a product released just this week.

The security hole lets an attacker read files on a target's computer, according to Georgi Guninski, the Bulgarian bug hunter who demonstrated the bug.

The problem, as described in a Guninski advisory, lies in an ActiveX control that ships with IE 5.5, released this week, and with earlier versions of the browser. ActiveX is Microsoft's method of letting a Web browser interact with other, more powerful desktop applications. The technology has been the target of security concerns for some time.

The ActiveX control ships with Microsoft's Dynamic HTML (DHTML) editing component (DHTMLED), which normally lets Web authors add automated page editing to their sites.

But through a problem with Microsoft's implementation of the Document Object Model (DOM), a standard way of letting scripts act on individual elements of a Web page, the edit component lets a malicious attacker peek at information on a victim's computer using a combination of frames--smaller windows within the Web page--and the clipboard, where computers temporarily store information when it is being cut or copied.

In his advisory, Guninski hinted that the combination of frames and the edit component could pose further security risks.

A Microsoft representative said the company was investigating Guninski's report but could not offer further comment.

Guninski's advisory--one in a lengthening string of security and privacy issues he has discovered in Microsoft's software--circulated on the Bugtraq mailing list with commentary from a security analyst exasperated with the unchecked pace of newly discovered security flaws.

"Instead of discussing the details of yet another browser security vulnerability, this is a good opportunity to focus on what can really be done to stop the never-ending flow of bugs," wrote SecurityFocus analyst and Bugtraq moderator Elias Levy. "It is obvious that the current approach of releasing code and patching it when a bug is found is not working. The current security technology in consumer operating systems is woefully inadequate for the Internet age."

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Is a 12.9-inch iPad Pro coming soon?

Apple may be getting ready to unveil the iPad Pro, iPad Mini 4 and a new Apple TV. Also, Google's Nexus refresh starts Sept. 29 and Tesla announces pricing on the Model X SUV.

by Jeff Bakalar