- Recommend:
- 0 Comments
Is Microsoft's IE Patch Flawed?
Security researchers claim a hole remains that can give hackers access through Outlook, IE.
A new patch designed to address six serious security vulnerabilities in Microsoft Internet Explorer doesn't fix all the problems it purports to, according to security researchers.
The patch, which was released late Wednesday, is designed to fix a cross-site scripting problem and other security and privacy flaws affecting Internet Explorer (IE) versions 5.01 through 6 and the Outlook e-mail client. However, the patch fixes only the cross-site scripting issue on one of the listed browsers, according to two security researchers who sent e-mail to the Bugtraq security e-mail list after the patch's release.
Flawed Fix?
According to Microsoft's explanation of the issue, the flaw can be exploited only when a user clicks on an HTML link on a Web page or in an e-mail message. That's not true, as code embedded in an HTML file can automatically execute, according to both Thor Larholm, a security researcher who has discovered a number of Microsoft vulnerabilities and maintains a list of unpatched IE holes online. Larholm's assertion is backed by the Israeli security group GreyMagic Software, which has also discovered a number of browser vulnerabilities.
As a result, users can unwittingly launch malicious code simply by opening an infected e-mail message.
The patch doesn't completely fix the problem because the flaw resides in the dialogArguments component of IE, which is not addressed by the patch, both researchers said. Furthermore, though Microsoft claims the flaw only exists in IE 6, both researchers maintain that the problem is also found in IE 5.01 and 5.5.
Microsoft Investigates
Microsoft representatives say the current patch performs as necessary, but that the company is looking into the latest allegations.
"Microsoft is aware of the issues and is investigating the reports," a Microsoft spokesperson said. Microsoft maintains that the patch does what the company said, but the company is also investigating the researcher's claims, the spokesperson said.
This isn't the first time that a Microsoft patch has caused problems for users. Another IE patch, released in February, caused the browser to crash.
Would you recommend this story? YES NO
- Recommend:
- 0 Comments
-
Speed Up Everything!
PCWorld shows you the secrets to improve performance on all your hardware.
-
Master Windows 7!
Our expert guide will help you get the most out of Windows 7.
-
ThinkPad Edge E420 Lenovo Style in an Affordable Package
Buy now direct from Lenovo -
ThinkPad X220 Fast and light, with great input ergonomics and battery life, this powerhouse ultraportable is best-of-breed.
Buy now direct from Lenovo -
ThinkPad X120e One of the best netbooks ever, X120e has the best netbook keyboard ever--nothing else comes close
Buy now direct from Lenovo
-
Microsoft Issues Emergency Security Patch For IE
-
Patch Tuesday Updates Fix Critical Flaws in IE and DirectShow
-
Emergency IE Patch Fixes Zero-Day Flaw
-
Critical Patch Tuesday Flaw Easy to Exploit
-
Microsoft Promises Early Patch for IE Zero-Day
-
Microsoft Ruins Perfect Record with Out-Of-Band Patch
-
Microsoft Leaves Duqu Worm Exploit Unpatched
- 12 Criteria for Selecting the Best ERP System Replacement An ERP system is your information backbone and reaches into all areas of your business and value chain. Replacing it can open unlimited business opportunities. This white paper explains the 12 criteria that allow you to identify and select the solution that will meet these expectations.
- Leveraging Social Computing Technologies for ERP Applications This white paper details how Web 2.0 technologies support business strategies by improving efficiency, productivity, and collaboration.
-
Tax Prep? There's an App for That, Too
-
Tax Sites: TurboTax Is Still the One to Beat
-
The Best Android Tablet Apps for Multimedia
-
Apple's Mountain Lion Shows Personal Cloud Trumps Personal Computer
-
Motorola's Android OS Upgrade Timeline Is Mostly Bad News
-
Android 5.0 Jelly Bean Mobile Operating System May Arrive in Spring 2012
-
Mountain Lion: Hands on With Gatekeeper
-
Android Dodges Apple iOS Address Book Debacle: But not by Much
-
Kaspersky's Free TDSSKiller Digs Up Rootkits
-
Mac OS X Mountain Lion: A Hands-On Tour
-
Play With Mechanical Puzzles In Your Browser With Interlocked
-
2 Player Productions Interview
Ad Choices