, Newsbytes 2002-05-17
In a reversal of its previous advice, Microsoft is warning that a security flaw in its Internet Explorer browser could enable a malicious Web site or e-mail message to automatically download and run a dangerous program on victims' computers.The flaw, the exploitation of which requires that Microsoft's Windows Media Player be installed, is one of six security bugs corrected by a patch released Wednesday by Microsoft.
According to Japan's Little Earth Corporation (LAC), which reported the bug to Microsoft on Feb. 13, vulnerable versions of IE will treat executable programs as if they contain "safe" content such as audio, and will automatically run them.
In March, Microsoft published a document at its site dismissing LAC's report as "inaccurate" and said "the problem has nothing to do with either Internet Explorer or the security patch" released last year to correct a similar flaw.
In its bulletin released Wednesday, Microsoft said Internet Explorer versions 6 and 5.01 are vulnerable to the attack and thanked LAC for reporting the issue.
LAC has created a harmless demonstration at its Web site that runs an executable program when users click a hyperlink. Normally, IE should prompt users before downloading and executing such files.
In an updated advisory published today, LAC researcher Arai Yuu said the flaw lies in how IE handles Web content of a type known as "inline disposition."
When a user with a vulnerable browser also has Windows Media Player version 6.4 installed, IE will immediately download and execute programs that have been specified by the Web page using the "Content-disposition: inline" header, Yuu said.
Windows Media Player (WMP) version 6.4 is installed by default on Windows 98 and Windows 2000 systems, according to the researcher.
Users who have upgraded to WMP version 7.1 are not vulnerable, even if running an unpatched version of IE. However, if they have Microsoft's Office 2000 suite installed, the inline-disposition attack will be successful, Yuu said.
Microsoft's original bulletin on the topic, which was removed from the company's site in late March, said exploiting the vulnerability discovered by LAC required that "a third-party media player" be present on the system.
The advisory published by Microsoft Wednesday does not specifically mention Windows Media Player's role in the vulnerability.
Microsoft has rated the flaw a "moderate" security risk and noted that the vulnerability is mitigated because attackers would need to know that their victims have "specific versions of specific applications on their system."
However, Jani Laatikainen, a Finnish security researcher, who was also credited by Microsoft with discovering the flaw, told Newsbytes today that he would not immediately disclose details about the IE bug "because the vulnerability is so easily exploitable by anyone."
LAC's advisory is at http://www.lac.co.jp/security/english/snsadv_e/48_e.html .
Microsoft's bulletin and cumulative patch are at http://www.microsoft.com/technet/security/bulletin/MS02-023.asp .
Reported by Newsbytes, http://www.newsbytes.com .