Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Product Tips & Reviews
Daily Downloads
Windows Vista
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: Software BugsCurrent Events

Is Microsoft's IE Patch Flawed?

Security researchers claim a hole remains that can give hackers access through Outlook, IE.

Sam Costello, IDG News Service

Thursday, May 16, 2002 5:00 PM PDT
Recommend this story?
Yes
No

A new patch designed to address six serious security vulnerabilities in Microsoft Internet Explorer doesn't fix all the problems it purports to, according to security researchers.

The patch, which was released late Wednesday, is designed to fix a cross-site scripting problem and other security and privacy flaws affecting Internet Explorer (IE) versions 5.01 through 6 and the Outlook e-mail client. However, the patch fixes only the cross-site scripting issue on one of the listed browsers, according to two security researchers who sent e-mail to the Bugtraq security e-mail list after the patch's release.

Flawed Fix?

According to Microsoft's explanation of the issue, the flaw can be exploited only when a user clicks on an HTML link on a Web page or in an e-mail message. That's not true, as code embedded in an HTML file can automatically execute, according to both Thor Larholm, a security researcher who has discovered a number of Microsoft vulnerabilities and maintains a list of unpatched IE holes online. Larholm's assertion is backed by the Israeli security group GreyMagic Software, which has also discovered a number of browser vulnerabilities.

As a result, users can unwittingly launch malicious code simply by opening an infected e-mail message.

The patch doesn't completely fix the problem because the flaw resides in the dialogArguments component of IE, which is not addressed by the patch, both researchers said. Furthermore, though Microsoft claims the flaw only exists in IE 6, both researchers maintain that the problem is also found in IE 5.01 and 5.5.

Microsoft Investigates

Microsoft representatives say the current patch performs as necessary, but that the company is looking into the latest allegations.

"Microsoft is aware of the issues and is investigating the reports," a Microsoft spokesperson said. Microsoft maintains that the patch does what the company said, but the company is also investigating the researcher's claims, the spokesperson said.

This isn't the first time that a Microsoft patch has caused problems for users. Another IE patch, released in February, caused the browser to crash.


Recommend this story?
Yes
No
Related Searches: ieinternet explorerbugpatchflaw
Related Content
Latest News
Apple's IPhone May Face Uphill Battle in Some Regions
The iPhone's reach expanded again Friday, with Orange announcing plans to sell the phone in Europe, the Middle East and... 16-May-2008
Seeing Is Believing With High-definition Train Simulator
A new train simulator codeveloped by Fujitsu offers unparalleled realism thanks to high-definition video shot on actual train... 16-May-2008
Samsung to Unveil 'Blue Phase' 240Hz LCD Panel
Samsung Electronics will unveil this weekend the first prototype of a new LCD (liquid crystal display) technology that won't... 16-May-2008
Panasonic's Car Navi Reaches Home While Away From Home
With all the time spent on the road, most drivers consider their cars to be their second homes. Reaching their primary home... 16-May-2008
Hearts Turn to Rainbows in Quake's Wake
Internet users in China have begun expressing solidarity with the victims of Monday's earthquake via their instant messaging... 15-May-2008
Sony Names New Head of Worldwide Games Studios
Sony has promoted a senior executive at its U.S. games studio to lead its global studios, it said Friday. 15-May-2008
Fujitsu Tackles E-paper's Slow Screen Speed
Fujitsu has developed a prototype electronic paper screen that tackles one of the technology's biggest weaknesses: the amount... 15-May-2008
Windows Coming on Dual-boot OLPC
The One Laptop Per Child Project and Microsoft plan to make both Windows and Linux available on a version of the project's XO... 15-May-2008
Yahoo Tells Icahn That Its Own Board Knows Best
Yahoo has responded to investor Carl Icahn's threat to take control of Yahoo's board and force it back to the negotiating... 15-May-2008
Does Icahn Have a Backup Plan?
Billionaire investor Carl Icahn's proxy fight for Yahoo is aimed at reigniting merger talks between the Internet company and... 15-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)