Experts warn of trick to bypass IE security

A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.

The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2 (SP2). The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML (Hypertext Markup Language) Web document.

Microsoft reacted strongly to the warnings Friday, saying that the Bugtraq notice made false claims about Internet Explorer in Windows XP SP2, and claiming that the download blocking feature in that version of the browser is working as designed.

"Microsoft is disappointed that an independent security researcher has posted a false claim on several newsgroups alleging that the automatic blocking feature of Internet Explorer in Windows XP SP2 (also referred to as the Information Bar) fails to function properly. These postings are inaccurate and misleading to customers," the company said in a statement.

Security software company Symantec issued a vulnerability alert about the hole Friday and cited Ivgi, which also provided code proving that the hole existed.

According to the Bugtraq message and Symantec alert, an IE feature designed to catch references to file downloads does not detect a particular HTML event, known as "onclick," when it is combined with the common HTML

tag, which designates the beginning and ending of the main part of a Web page.

Malicious Internet users could use the onclick event in combination with another function called "createElement" to create an IFRAME, or "inline frame," which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the IFRAME to a malicious Web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Symantec said.

There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec said.

According to Microsoft, the issue described in the Bugtraq alert is not a security problem. In fact, Internet Explorer for Windows XP SP2 does display a security warning in the scenario described in the warning: a dialog box instead of the information bar. "And that is what it is supposed to do," said Kevin Kean, director of the Microsoft Security Response Center.

"We have examined the proof of concept code that he included and analyzed that. Internet Explorer does what we would expect it to do, it brings up the dialog box for the download, there is no vulnerability," Kean said.

IE users are advised to avoid links provided by unknown or untrusted sources, to keep from being lured to a malicious Web site. IE users can also configure the browser to disable the execution of script code and active content, though doing so could have adverse effects on the way IE functions, Symantec said.

The news comes just three days after Microsoft issued software patches for several serious Windows security holes and released a new tool that lets users remove malicious software from their PCs, and amid increasing competition in the Web browser market from the Mozilla Foundation's Firefox browser.

On Tuesday, the software company published security bulletins and patches for two critical holes, one in the Windows HTML Help system and the other in Windows code that handles cursor, animated cursor and icon formats.(See: http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx and http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx.)

(Joris Evers in San Francisco contributed to this story.)

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?