, Newsbytes 2002-02-12
A bundle of software fixes designed to close security holes in Microsoft's [NASDAQ:MSFT] Web browser leaves Internet Explorer users vulnerable to several published attacks.The patch, which was released by Microsoft Monday, "eliminates all known security vulnerabilities affecting Internet Explorer," according to bulletin MS02-005 from the company. Six bugs, two of which are rated "critical," are addressed by the cumulative patch, Microsoft said.
But tests performed by Newsbytes and independent security researchers show that the Feb. 11 patch only partially closes two vulnerabilities and does not address at all a flaw in Internet Explorer version 6 that could allow remote attackers to execute programs on a client system.
The unpatched flaw, known as the "IE Pop-Up OBJECT Tag Bug," was reported to Microsoft on Jan. 10 by a security researcher using the nickname ThePull.
A demonstration at ThePull's site successfully exploited the flaw on Windows 98 and Windows 2000 systems running IE6 with the latest IE patch.
The security bug, which has been logged in a vulnerability database operated by SecurityFocus.com as the "Arbitrary Program Execution Vulnerability," allows a malicious Web site or HTML e-mail to execute programs that exist on the hard disk of the victim.
Microsoft officials were not immediately available for comment.
Another IE flaw identified by ThePull, which Microsoft has termed the "Frame Domain Verification Variant via Document.Open function," appears to have been only partially corrected by the Feb. 11 patch.
According to a question-and-answer section of Microsoft's bulletin, the patch eliminates "all known variants" of the Document.Open vulnerability. Tests by Newsbytes, however, show that the patch fails to block fully an exploit that could transmit some files from a victim's computer to a system operated by an attacker.
ThePull notified Microsoft about the Document.Open flaw, which SecurityFocus has dubbed the "Same Origin Policy Violation Vulnerability," on Dec. 19.
Microsoft's new IE patch also fails to address a security vulnerability reported to the company Dec. 15. The flaw in the XMLHTTP component of IE6 appears to have been closed on Windows 2000 systems through a security roll-up package released last month, according to independent security researchers Thor Larholm and Tom Gilder.
But tests by Newsbytes confirmed the researcher's report that Windows 98 systems running IE6 are still vulnerable to the XMLHTTP attack, which allows the reading and sending local files, according to a Dutch security researcher named Jelmer Kuperus who originally discovered it.
Microsoft originally released the IE cumulative patch, which carries Update Version Q316059, last Thursday. Shortly after the fix was posted, Microsoft discovered an error in the installation "package" for the patch and removed the software from its site. The company said users who successfully installed the recalled patch do not need to take any action.
As of Tuesday morning, the new cumulative patch for IE had not yet appeared on Microsoft's Windows Update site.
Microsoft's bulletin and cumulative patch for IE are at http://www.microsoft.com/technet/security/bulletin/MS02-005.asp .
ThePull's Web site is at http://www.osioniusx.com .
A list of some IE6 vulnerabilities is here: http://jscript.dk/unpatched .
Reported by Newsbytes, http://www.newsbytes.com .