Experts Warn Of IE Download Flaw
A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.
Source: PC WorldThe warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2. The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML Web document.
Microsoft was not able to comment on the hole in time for this story.
Security software company Symantec issued a vulnerability alert about the hole Friday and cited Ivgi, which also provided code proving that the hole existed.
According to the Bugtraq message and Symantec alert, an IE feature designed to catch references to file downloads does not detect a particular HTML event, known as "onclick," when it is combined with the common HTML BODY tag, which designates the beginning and ending of the main part of a Web page.
0
Comments