BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Security

Desktop platforms Toolkit

Unpatched IE flaw allows remote attacks

Tags:
Internet Explorer

Ingrid Marson ZDNet.co.uk

Published: 20 Jul 2005 16:45 BST

A flaw in Microsoft Internet Explorer's image rendering capabilities may allow attackers to execute code remotely, according to security experts.

Security consultant and author Michal Zalewski has found a number of possible flaws in the way IE handles JPEG images, one of which he claims could be exploited for remote arbitrary code execution — a type of attack that is generally categorised as critical by security vendors.

Four proof-of-concept images that can exploit these flaws have been made available by Zalewski. Each of these crashes IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2. Previous versions of IE may also be affected, said SecurityFocus. Two of the exploit images also cause memory and CPU problems.

Zalewski did not report this bug to Microsoft before publishing it, due to the problems he claims to have experienced with the software giant's bug-reporting process.

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice," said Zalewski in a posting on security site Neophasis.

"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a spokesperson said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."

Earlier this week, another image-processing security vulnerability that affected both IE and MSN Messenger surfaced. That bug was caused by vulnerability in the way the applications handle International Color Consortium Profiles, but that was fixed by Microsoft in their last set of patches.

More information on the flaws can be found on the SecurityFocus Web site, under bug number 14282 and 14284.

Did you find this article useful?
103 out of 196 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

In association with Network Liberation Movement

Company/Topic Alerts

Create a new alert from the list below:

Microsoft

Internet Explorer

Related Jobs

Test Engineer, Test Analyst, Software Tester - Bristol - Avon

VB.NET Analyst Programmer - Nottingham, East Midlands

Senior Network Analyst / Security Analyst

Video

Install Flash Player plugin

Find out more: From The Labs: A look at...

All videos
Most popular videos
Latest videos

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner