Microsoft’s Patch Tuesday activity carried over from last week into this one as the software giant promised to issue a fix for its latest Internet Explorer security patch, which apparently carries a security bug of its own.
The vulnerability could allow attackers to take complete control over a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, according to a Microsoft security advisory published this week. The flaw lies in the way IE handles long Web addresses. The firm has not yet said when the new patch will be ready.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” Microsoft reported in its security advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
In one attack scenario, an attacker could host a Web site containing a page that would exploit this vulnerability.
Microsoft explained that compromised Web sites and those that accept or host user-provided content or advertisements may contain specially crafted content that could exploit this flaw.
In all cases, however, an attacker would have no way of forcing users to visit these Web sites. Instead, an attacker would have to persuade users to visit the sites, typically by getting them to click on a link in an e-mail or instant messenger message.
The IE browser’s restricted sites zone helps reduce attacks that are meant to exploit this vulnerability by preventing active scripting from being used when a user is reading HTML e-mail messages. However, Microsoft said if a user clicks a link in an e-mail message, he/she could still be vulnerable to this vulnerability through the Web-based attack scenario. By default, several versions of the Outlook e-mail client open messages in the restricted sites zone.
It’s not uncommon for incompatibilities and vulnerabilities to arise when you introduce new code, according to Ken Dunham, senior engineer at threat intelligence firm iDefense. In fact, that’s one major point in the debate over whether companies should issue third-party patches.
“You can imagine trying to manage a project with millions of lines of code and all sorts of interoperability issues that might emerge, with the need for secure computing on top it. It’s a hefty challenge. It’s not easy for anyone,” Dunham told TechNewsWorld.
The Cat and Mouse Game
To Microsoft’s credit, the company does have the ability to automatically check its code for buffer overflows, one of the most widely exploited browser flaws in the past few years. Analysts said with increasingly sophisticated code, it’s simply becoming more difficult to secure applications.
“Some people may feel that it’s two steps forward and one step back, but the reality is, we do live in a cat and mouse game world with the hackers, and that will never go away,” Dunham noted. “There is a responsibility to securely code applications, and there is the reality that with millions of lines of code, you are going to have some issues crop up.”