New Internet Explorer holes causing alarm

Four new holes have been discovered in the Internet Explorer (IE) Web browser that could allow malicious hackers to run attack code on Windows systems, even if those systems have installed the latest software patches from Microsoft, security experts warn.

Some of the new flaws are already being used to attack Windows users and include a glitch that allows attackers to fake or "spoof" the address of a Web page, as well as vulnerabilities that enable malicious pages from the Internet to be handled by IE with very little scrutiny or security precautions.

A Microsoft spokeswoman acknowledged the reports and said the company is looking into the attacks and is considering what steps to take, including the release of an emergency security patch to address the problems.

Word of the four new vulnerabilities surfaced in security discussion news groups in recent weeks. Two of the vulnerabilities, first disclosed by someone using the name Rafel Igvi and posted to the NTBugtraq discussion list, allows attackers to load content from malicious Web pages while displaying the Web address of legitimate sites in the Internet Explorer's address bar. Attackers could trick users into clicking on the bogus Web links using e-mail messages or by linking from other Web pages.

The vulnerability is very similar to another hole that was uncovered in December that allowed attackers to hide the real location of a Web page by including the characters %01 before the @ symbol in a URL. The new vulnerability allows attackers to hide the actual address of the Web page that is being loaded by prefacing the address with the characters ::/ with some IE URLs, according to security company Secunia.

"Conceptually, it's very similar to the %01 problem, and (the flaw) is in a related part of the Internet Explorer code," said Thor Larholm, senior security researcher at PivX Solutions.

Another unpatched hole, called a "cross zone scripting" vulnerability, allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, Secunia said.

When combined, the address spoofing and cross zone scripting holes can create a potent and stealthy attack, with attackers using the spoofing hole to trick IE into thinking it is on a safe Web site, even as it loads malicious content from another part of the Internet, Larholm said.

"The address spoofing makes sure (the attacker) can load content from his site, and the cross zone scripting hole makes sure he can do it in (a trusted) security zone," he said.

On Thursday, two more unpatched Internet Explorer holes also surfaced that are slight variations on the same themes. One is a spoofing vulnerability that works on IE, as well as the Mozilla and Safari browsers and allows attackers to fake the address displayed in the address bar. The other is a cross zone scripting hole that lets users load insecure Web pages as if they were trusted Web pages, Larholm said.

The IDG News Service is a Network World affiliate.