Two New IE Bugs Uncovered

Security analysts at Microsoft as well as those at SANS Institute's Internet Storm Center and Symantec Corp. are warning of two new Internet Explorer bugs that could cause major problems for users.

One of the vulnerabilities would let attackers execute code remotely if they can convince users to double click on a button on a web page. Disabling IE's active scripting may help this problem, and the ISC warns that we'll be seeing this type of malicious code becoming a problem very soon.

There is a second bug in that IE does not enforce cross-domain policies. These cross-domain vulnerabilities could be used by hackers to obtain passwords, user IDs, and other personal information from users.

The note from the Internet Storm Center said, "This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites [that the] user is logged into (for example, webmail) and harvest user credentials. Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs."

To learn more about these bugs so that you can warn clients and try to protect against attackers, read the entire article (link above).

Submitted by Joshua Feinberg