Network News

X My Profile
View More Activity

Microsoft: Another Critical IE Flaw

Microsoft Corp. late Tuesday issued an advisory warning about an unpatched security hole in some versions of its Internet Explorer Web browser that attackers could use to take full control of computers via code embedded in Web sites or by viewing a specially crafted image in the preview pane of Outlook Express.

According to the alert, the problem yet again has to do with the way IE parses image files ending in ".WMF". In January, Microsoft was forced to issue a fix outside of its regular monthly update cycle to fix another WMF flaw that spyware and viruses were using to infiltrate Windows PCs.

But Microsoft insists this problem is completely different from the WMF flaw remedied by January's patch, and that this flaw only is present in IE version 5.01 Service Pack 4 running on Windows 2000 Service Pack 4, or IE version 5.5 Service Pack 2 running on top of Windows Millennium (ME).

My suspicion is that this is the same flaw Security Fix called attention to on Jan. 9, just four days after Microsoft released a patch to fix the other WMF problem. At that time, security researchers were talking about how the patch didn't completely fix the WMF problem. Lennart Wistrand, lead security program manager at the Microsoft Security Response Center, downplayed reports that other WMF flaws could be used to attack IE users, saying, the glitches "are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit."

Hrm ... I guess Microsoft was finally convinced that the bug was exploitable. At any rate, the company is slated to issue February's patch batch on Tuesday. No doubt security researchers will get to the bottom of this once they've reverse-engineered the official patch.

For the time being, if you are running Windows ME or Windows 2000, you can check the version of the browser by selecting "Help" from IE's top menu and selecting "About Internet Explorer." Microsoft advises people using these vulnerable versions to upgrade to IE version 6 Service Pack 1, which can be downloaded here.

Update, 3:36 p.m. ET:Microsoft's Stephen Toulouse contacted me to emphasize that the flaw Microsoft mentioned Tues. evening (CVE-2006-0020) is distinct from the crash issue they called attention to on Jan. 9 (CVE-2006-0143). Maybe I conflated the two because both issues deal with WMF and the Windows graphics rendering engine (GRE), and they both appear to have been reported or disclosed on Jan. 9.

"It gets confusing because both posts mention 'Denial of Service' and use WMF and GRE interchangeably to describe their issues," Toulouse said. "But they are completely independent issues, separately reported by different finders at totally different security lists."

Still, that doesn't change the fact that there are now at least two distinct, unpatched security flaws in IE, one of which is critical. One other thing that doesn't exactly add clarity to this situation: A vulnerability note over at SecurityFocus says the latest WMF flaw (CVE-2006-0020) affects many more operating systems and Windows configurations than Microsoft acknowleges in its advisory.

By Brian Krebs  |  February 8, 2006; 12:05 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Time to Patch II: Mozilla
Next: Microsoft Anti-Virus Pricing Ripples?

Comments

I wonder how Apple Computer compares in this regard.

Posted by: Charles Rang | February 8, 2006 7:59 AM | Report abuse

Microsoft has raised the term "protection racket" to a whole new level of meaning -- charging its customers to protect themselves agains flaws in their own software. The new "Windows OneCare Live" is not only a greedy grab at erstwhile MS partners' Symantec and McAfee business but an arrogant exploitation of their market monopoly. Time to revisit the antitrust laws.

Posted by: Bertram Lowi, Southampton, NY | February 8, 2006 11:27 AM | Report abuse

More to my earlier, I just sent an email to Ford and GM suggesting a way to raise their revenue by following Mircrosoft's lead and charging customers to repair their recalls. Just kidding but you get the point.

Posted by: Bertram Lowi, Southampton, NY | February 8, 2006 11:43 AM | Report abuse

Yes, Microsoft recommends upgrading to IE6, but the best choice is firefox... www.getfirefox.com

Be done with Microsoft and their flaw-ridden products...

Posted by: Tech DC | February 8, 2006 11:46 AM | Report abuse

The problem with Apple is that they charge for every release of OS X. For example, they make corrections in 10.3 up to 10.3.9, but you have to buy 10.4. Worse is that their other products often require the latest OS. What a racket.

Funny thing is that 10.3.6 is more stable than 10.3.9, but you can't go backwards so what choice do you have but to buy new. Better yet, don't upgrade unless that upgrade solves a problem you're having. If it ain't broke, don't fix it applies very well to Mac.

Posted by: Richard | February 8, 2006 5:19 PM | Report abuse

I find microsoft is no more reliable as there are lots of security flaw and when one tries to change to mozilla firefox the same problempersists as probably the malicious websites steal password etc and harass the user of computer.There should be united fight against these problems(International collaboration)

Posted by: pratap | April 28, 2006 3:17 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company