After discovering a serious new vulnerability in Microsoft Internet Explorer last month, the well-known GreyMagic security team continued to look at other possible problems with Internet Explorer. Thus far, the team has discovered nine new IE vulnerabilities, eight of which the company rates as critical.

A GreyMagic Software spokesperson said that the company has tried working with Microsoft in the past but found it to be slow in fixing many critical flaws. Thus, GreyMagic now operates on a full disclosure policy where, after carefully verifying the existence of the vulnerabilities, it makes a public announcement of the problems at the same time that it notifies Microsoft.

In response to this policy, a Microsoft spokesperson said, “We are concerned by the way this report has been handled. The majority of users simply cannot or do not use publicly posted information to protect themselves from new vulnerabilities. Communicating to the relatively small number of dedicated security mailing list subscribers is not a practical or effective way of securing the millions of Microsoft customers—it is only effective in guaranteeing that hackers are armed.”

A new group of exploits
These vulnerabilities are all exploits associated with failures to verify that different Web pages are in the same domain and should be assigned to the same security zone. The problems are related to object caching, where an attacker opens a window to one object and is then allowed to access a variety of unrelated objects as well.

The details of each vulnerability, along with a general workaround and proof-of-concept information, are found on the GreyMagic security advisory page. The generic exploit below is taken from that site and illustrates the kind of flaws GreyMagic has discovered. This shows how to capture the contents of a cookie:
<script language=”jscript”>
var oWin=open(“blank.html”,”victim”,”width=100,height=100″);
[Cache line here]
    function () {
        [Exploit line(s) here]

Microsoft Internet Explorer versions 5.5 and 6 are vulnerable; earlier versions are not. IE6, even with SP1 installed, is still vulnerable to the external and clipboardData vulnerabilities, but not to the other seven.

Please note: GreyMagic Software warns that AOL Browser, MSN Explorer, and any other software using the IE engine from 5.5 or 6 will also be vulnerable to attacks making use of these exploits.

There is a report that upgrading IE 5.5 with SP2 will fix the vulnerabilities in that version, but you’ll probably have to wait for a complete evaluation by Microsoft before having total confidence in that solution.

Risk level—critical
All but one of these vulnerabilities is rated as critical by GreyMagic because they can expose content on users’ computers to the systems attacker or allow the attacker to run software on the compromised system.

Mitigating factors
Although attackers would need to know the exact name and location of the files they want to copy, this isn’t a significant mitigating factor because Windows stores some critical files, such as password information, in standard locations.

GreyMagic Software recommends that you disable Active Scripting until Microsoft produces a patch for these vulnerabilities. GreyMagic has published a quick online test you can use to determine whether your software is vulnerable to any of these nine exploits of the object caching flaw.

Final word
Some people have a problem with the way GreyMagic releases news of vulnerabilities. But I have been following its actions for some time, and it really did try working with Microsoft in the past. Unfortunately, GreyMagic didn’t have much success getting the vulnerabilities it discovered patched in what it considered a timely fashion. In some cases, Microsoft took as long as six months to respond.

Via e-mail, GreyMagic told me, “We believe that the users have a right to know about vulnerabilities in popular software and take action in protecting themselves using the suggested workarounds while Microsoft is working on a patch.”

Since this approach also lets attackers know about vulnerabilities, I’m not certain I fully support this instant disclosure policy. On the other hand, I can certainly understand GreyMagic’s frustration, waiting around for weeks or even months for Microsoft to deal with serious vulnerabilities.

The fact that GreyMagic also releases workarounds at the same time greatly mitigates any blame that might fall on the company for releasing information about the vulnerabilities before Microsoft releases patches.

It’s also important to point out that many crackers already know about many vulnerabilities and exploit them before they are disclosed to the general public. Often, the only people who don’t know about these vulnerabilities until they are published are Microsoft’s security team, script kiddies, and network admins who are far too busy patching holes in software to test the underlying code themselves.

Some companies warn Microsoft well in advance of public release. Some don’t. Some used to but don’t bother any longer. Until Microsoft begins to respond more quickly to serious threats contained in its software, I think it’s reasonable for companies to try different approaches, if only to see which one puts the most pressure on Microsoft to patch dangerous vulnerabilities.