Enterprise Software

Another Internet Explorer flaw found

This is the third time in a month that Microsoft must play catch-up with researchers finding vulnerabilities in its browser.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
CNET News.com

A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.

Microsoft on Friday that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.

"They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."

This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that , plus the recently patched one, to install on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, .


Windows worm returns
New version of Lovgate uses old tactics

Microsoft acknowledged the latest issue and said more fixes would be forthcoming.

"The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports."

The most recent flaw is not new—security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.

"Most exploits we are seeing developed today are composed of multiple vulnerabilities, (each one) bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."

Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.


More IT news stories
Software piracy losses double
Spammers can be beaten in two years, regulators say
Ballmer: Microsoft needs better sales pitch
IRS eyes Net phone taxes

Vulnerabilities in IE have become so common that some security researchers are . The Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.

Microsoft recommends that users go to the company's for the latest information.

Editor's Picks

Free Newsletters, In your Inbox