MSoft patch leaves flaw unattended

Discussion in 'other security issues & news' started by Paul Wilders, Feb 23, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Microsoft Patches IE But Leaves PopUp Attack For Later
    By Brian McWilliams, Newsbytes
    22 Feb 2002, 2:36 PM CST

    Microsoft on Thursday issued another set of patches to correct two "critical" security flaws in its Internet Explorer (IE) browser. But the company has yet to wall off a month-old attack that can launch programs on the computers of IE 6 users.

    The patches, posted at the Microsoft site Thursday evening, include a fix for an IE6 bug published last December in the browser's XMLHTTP ActiveX control, as well as for a previously unpublished flaw in the handling of VBScript by all supported versions of IE.

    Both flaws have been rated critical risks by Microsoft, which advises affected customers to patch affected systems immediately.

    Still awaiting a patch is a flaw that has been dubbed the Popup Object vulnerability. Originally reported to Microsoft more than five weeks ago, the bug in IE6 allows attackers to execute any program on a remote system.

    In a harmless demonstration of the bug, also known as the IE arbitrary program execution vulnerability, a security researcher who uses the nickname ThePull showed how a Web page can be designed to launch applications such as the Windows registry editor, command prompt and file transfer protocol.

    "I could make a worse exploit for that. Maybe someone else has and no one knows about it," said ThePull, who recently joined Eeye Digital Security as a quality assurance analyst, in an interview today. His Jan. 10 advisory reported, however, that he has not found a way to pass parameters to the programs.

    Microsoft has not publicly acknowledged ThePull's discovery. Company representatives have responded to inquiries by saying that his advisory may put Microsoft customers at risk and cause "needless" confusion and apprehension.

    In a break from past practice, Microsoft's bulletins on the IE flaws today did not contain direct links to the patches but instead instructed customers to visit the software maker's Windows Update site.

    Some system administrators complained today on mailing lists that they have been unable to access the Windows Update site and that Microsoft's failure to publish direct links to the patches has prevented them from protecting their systems.

    Microsoft's bulletin on the XMLHTTP vulnerability is at technet/security/bulletin/MS02-008.asp

    Microsoft's bulletin on the VBScript handling flaw is at technet/security/bulletin/MS02-009.asp

    ThePull's advisory is at advisory4.html

    Windows update is at


    source: newsbytes
Thread Status:
Not open for further replies.