Unpatched IE flaws reported

Security consultant says a hole in Internet Explorer 6 could allow an intruder to run code on a PC.

Ingrid Marson
2 min read
A flaw in Microsoft Internet Explorer's image rendering capabilities may allow attackers to execute code remotely, a security expert has warned.

Michal Zalewski, a security consultant and author, said he has found a number of possible flaws in the way the Web browser software handles JPEG images. Zalewski said that one of the flaws could be exploited for remote arbitrary code execution, a type of attack that is generally categorized as "critical" by security vendors.

Four proof-of-concept images that aim to exploit these flaws have been posted on the Web by Zalewski. Each of these has the potential to crash IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2. Previous versions of IE may also be affected, according to a SecurityFocus posting. Two of the exploit images also cause memory and CPU problems.

Zalewski said he did not report this bug to Microsoft before publishing it, due to the problems he claims to have experienced with the software giant's bug-reporting process.

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice," said Zalewski in a posting on security site Neophasis.

"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a representative for the software maker said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."

Earlier this week, another image-processing security vulnerability that affected both IE and MSN Messenger surfaced. That bug was caused by a flaw in the way the applications handle International Color Consortium Profiles, but that problem was fixed by Microsoft in its last set of patches.

More information on the flaws can be found on the SecurityFocus Web site, under bug number 14282 and 14284.

Ingrid Marson of ZDNet UK reported from London.