Researcher to reveal more Internet Explorer problems

Exploiting four or five features in IE could compromise files, says Core Security Technologies

Microsoft's Internet Explorer could inadvertently allow a hacker to read files on a person's computer, another problem for the company just days after a serious vulnerability received an emergency patch.

The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington, D.C., on Feb. 3.

The issue could allow a hacker to read files on a person's computer but not install other code. Nonetheless, the problem represents a serious security issue, Medina said. It affects all of Microsoft's operating systems from Windows NT through Windows 7 and every version of IE, including the latest one, IE8.

The hack works when an attacker lures a victim into clicking on a malicious URL (Uniform Resource Locator). Then, by manipulating four or five features in Internet Explorer, the hacker forces the browser to process files that are not pure HTML on the PC, Medina said.

Core notified Microsoft in 2008 of the attack, and the company introduced two different changes for the browser. Core describes the 2009 fix on its Web site, along with the 2008 fix.

Despite the fixes, Medina found ways to pull off the same attack. Since the issue involves features rather than vulnerabilities, it may be more difficult for Microsoft to permanently fix, Medina said. "Some of those features are kind of impossible to fix," Medina said.

Core has been working closely with Microsoft on the issue. Microsoft will next release patches on Feb. 9, and it's not clear if the company plans on fixing the problem then.

The company said on Monday that it is investigating. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact and believe customers are at reduced risk due to responsible disclosure," according to a statement.

The problem represents more woe for IE. Microsoft released an emergency patch on Thursday to repair a zero-day vulnerability that caused Google and more than 30 other companies to be hacked in the so-called Aurora attacks.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Aurora attackzero-day exploitsGoogleMicrosoftCore Security TechnologiesInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?