Microsoft: Another Critical IE Flaw
Microsoft Corp. late Tuesday issued an advisory warning about an unpatched security hole in some versions of its Internet Explorer Web browser that attackers could use to take full control of computers via code embedded in Web sites or by viewing a specially crafted image in the preview pane of Outlook Express.
According to the alert, the problem yet again has to do with the way IE parses image files ending in ".WMF". In January, Microsoft was forced to issue a fix outside of its regular monthly update cycle to fix another WMF flaw that spyware and viruses were using to infiltrate Windows PCs.
But Microsoft insists this problem is completely different from the WMF flaw remedied by January's patch, and that this flaw only is present in IE version 5.01 Service Pack 4 running on Windows 2000 Service Pack 4, or IE version 5.5 Service Pack 2 running on top of Windows Millennium (ME).
My suspicion is that this is the same flaw Security Fix called attention to on Jan. 9, just four days after Microsoft released a patch to fix the other WMF problem. At that time, security researchers were talking about how the patch didn't completely fix the WMF problem. Lennart Wistrand, lead security program manager at the Microsoft Security Response Center, downplayed reports that other WMF flaws could be used to attack IE users, saying, the glitches "are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit."
Hrm ... I guess Microsoft was finally convinced that the bug was exploitable. At any rate, the company is slated to issue February's patch batch on Tuesday. No doubt security researchers will get to the bottom of this once they've reverse-engineered the official patch.
For the time being, if you are running Windows ME or Windows 2000, you can check the version of the browser by selecting "Help" from IE's top menu and selecting "About Internet Explorer." Microsoft advises people using these vulnerable versions to upgrade to IE version 6 Service Pack 1, which can be downloaded here.
Update, 3:36 p.m. ET:Microsoft's Stephen Toulouse contacted me to emphasize that the flaw Microsoft mentioned Tues. evening (CVE-2006-0020) is distinct from the crash issue they called attention to on Jan. 9 (CVE-2006-0143). Maybe I conflated the two because both issues deal with WMF and the Windows graphics rendering engine (GRE), and they both appear to have been reported or disclosed on Jan. 9.
"It gets confusing because both posts mention 'Denial of Service' and use WMF and GRE interchangeably to describe their issues," Toulouse said. "But they are completely independent issues, separately reported by different finders at totally different security lists."
Still, that doesn't change the fact that there are now at least two distinct, unpatched security flaws in IE, one of which is critical. One other thing that doesn't exactly add clarity to this situation: A vulnerability note over at SecurityFocus says the latest WMF flaw (CVE-2006-0020) affects many more operating systems and Windows configurations than Microsoft acknowleges in its advisory.
Posted by: Charles Rang | February 8, 2006 7:59 AM | Report abuse
Posted by: Bertram Lowi, Southampton, NY | February 8, 2006 11:27 AM | Report abuse
Posted by: Bertram Lowi, Southampton, NY | February 8, 2006 11:43 AM | Report abuse
Posted by: Tech DC | February 8, 2006 11:46 AM | Report abuse
Posted by: Richard | February 8, 2006 5:19 PM | Report abuse
Posted by: pratap | April 28, 2006 3:17 AM | Report abuse
The comments to this entry are closed.