Security

Security firm warns of new IE flaw

A security services company points out a new vulnerability in Microsoft's Internet Explorer Web browser that could allow Web surfers to be tricked into downloading malicious files.

A security services company warned of a new vulnerability in Microsoft's Internet Explorer Web browser that could allow Web surfers to be tricked into downloading malicious files.

Danish company Secunia posted details of the alleged flaw, which could be used in combination with an earlier "spoofing" flaw reported by the company.

A Microsoft representative said the company was investigating the report but was not aware of any exploits involving the supposed flaw. The representative also echoed previous criticisms of security researchers publicizing software flaws before software makers can adequately investigate and remedy the problems. "Microsoft continues to encourage the responsible disclosure of vulnerabilities," the representative said.

The new flaw could allow the owner of a malicious Web site to deliberately misidentify a downloadable file, so a malicious program file could be made to appear as if it were a secure file. Visitors might think they were downloading a document based on Adobe's portable document format (PDF), for instance, but actually receive a malicious, self-executing program such as the new MyDoom worm.

Secunia's advisory includes an online test showing how the flaw could be exploited. The company said it identified the hole in the current version 6 of Internet Explorer, but previous releases also could be affected. Secunia representatives did not immediately respond to a request for comment.

The alleged flaw could be particularly effective if used in combination with another IE hole identified by Secunia last month. That flaw lets Web site owners disguise the identity of their site by displaying a false address in the Internet Explorer address and status bars.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


Microsoft has yet to release a patch for that vulnerability, although it has posted a bulletin with tips for avoiding such "spoofed" sites. Among the tips are not clicking hyperlinks. "Rather, type the URL of your intended destination in the address bar yourself," Microsoft advises.

Microsoft's delay in addressing that flaw has drawn criticism from security experts and led an open-source programming group to create its own patch for the flaw.

Microsoft last year instituted a new policy for patching security holes, deciding to cluster fixes in a single monthly release rather than distributing piecemeal updates.