Microsoft upgrades IE flaw to critical

Zardon · Dec 10, 2002, 02:46 PM

MICROSOFT RAISED THE risk rating on a security flaw in Internet Explorer (IE) to "critical" after criticism prompted it to reexamine the issue, the company said Friday.

Earlier last week, Microsoft issued a patch to fix a flaw in IE 5.5 and IE 6.0 that it said only posed a "moderate" risk to users. Security experts, however, said the issue should be rated critical as it could be exploited to take over a user's machine.

Microsoft reinvestigated the issue and discovered a new exploit scenario that indeed allows an attacker to gain control over a vulnerable system, Steve Lipner, director of security assurance for Microsoft said in an e-mail response to questions.

"The newly-discovered exploit scenario& could allow a malicious user to run code on a user's computer via a specially-crafted Web site or e-mail message, thus warranting a severity rating of critical," Lipner said. Microsoft has revised its security bulletin MS02-068.

The flaw lies in a feature meant to set up security boundaries between Web browser windows and the local system. This "external object caching" vulnerability was first made public in late October by Israeli security company GreyMagic Software.

An attacker could exploit the flaw by luring a user to a specially coded Web page or sending that page via HTML (Hypertext Markup Language) e-mail, Microsoft said. The Redmond, Washington, company urges users to apply the patch, part of a super patch that includes all previous IE 5.5 and IE 6.0 fixes, as soon as possible.

DriveEuro · Dec 10, 2002, 04:19 PM

Damn, will microsoft EVER get their shit straight?

Dec 10, 2002, 02:46 PM	#1
Zardon DriverHeaven Founder Join Date: May 2002 Posts: 32,480 Rep Power: 177	Microsoft upgrades IE flaw to critical MICROSOFT RAISED THE risk rating on a security flaw in Internet Explorer (IE) to "critical" after criticism prompted it to reexamine the issue, the company said Friday. Earlier last week, Microsoft issued a patch to fix a flaw in IE 5.5 and IE 6.0 that it said only posed a "moderate" risk to users. Security experts, however, said the issue should be rated critical as it could be exploited to take over a user's machine. Microsoft reinvestigated the issue and discovered a new exploit scenario that indeed allows an attacker to gain control over a vulnerable system, Steve Lipner, director of security assurance for Microsoft said in an e-mail response to questions. "The newly-discovered exploit scenario& could allow a malicious user to run code on a user's computer via a specially-crafted Web site or e-mail message, thus warranting a severity rating of critical," Lipner said. Microsoft has revised its security bulletin MS02-068. The flaw lies in a feature meant to set up security boundaries between Web browser windows and the local system. This "external object caching" vulnerability was first made public in late October by Israeli security company GreyMagic Software. An attacker could exploit the flaw by luring a user to a specially coded Web page or sending that page via HTML (Hypertext Markup Language) e-mail, Microsoft said. The Redmond, Washington, company urges users to apply the patch, part of a super patch that includes all previous IE 5.5 and IE 6.0 fixes, as soon as possible.

Dec 10, 2002, 04:19 PM	#2
DriveEuro HardwareHeaven Extreme Member Join Date: Jul 2002 Location: Gurnee Illinois Posts: 4,677 Rep Power: 0	Damn, will microsoft EVER get their shit straight? __________________ [color=orange]ASUS P4P800 Deluxe [color=black]-[/color] 2.4C --> 3300mhz [color=black]-[/color] Mushkin PC3200 at 220 5-2-2-2 (cpu limited) [color=black]-[/color] BBAti 9800Pro at 430/375 [/color] [color=black]3[/color][color=gray]D[/color]M[color=black]a[/color][color=gray]r[/color]k[color=yellow]01[/color] [color=black]3[/color][color=gray]D[/color]M[color=black]a[/color][color=gray]r[/color]k[color=yellow]03[/color] 16001200 12801024