Microsoft investigates two IE flaws
By Bill Brenner, Senior News Writer
22 Mar 2006 | SearchSecurity.com
Microsoft is looking into a pair of new security holes in Internet Explorer (IE) that attackers could use to cause a denial of service or launch malicious code. Proof-of-concept exploit code has been written for one of the flaws.
One issue was discovered by vulnerability researcher Jeffrey van der Stad. In a posting on his Web site, he said the software giant had run its own tests and confirmed the flaw. He quoted a Microsoft security team member as saying, "We have been trying to get this fix into the next IE release, but it's been a lot of work to do that, as it's relatively late in the cycle. It looks like it will make it in, though."
The company's next scheduled patch release is April 11.
Cupertino, Calif.-based AV giant Symantec Corp. also looked at Van der Stad's findings and e-mailed an analysis to customers of its DeepSight Threat Management System. While few details were available, Symantec said the problem seems to revolve around HTA files, which are HTML applications that are given higher levels of trust and access to a local system than remote Web pages typically receive.
"A successful attack may allow remote attackers to execute HTA applications in the context of targeted users," Symantec said. "This may allow remote code execution and facilitate the compromise of affected computers."
The rest of the story can be found here
