February 17, 2004 5:17 PM PST

Source code opens window to old IE flaw

By Robert Lemos
Staff Writer, CNET News

• Share
  • Digg
  • Del.icio.us
  • Reddit
  • Facebook
  • Google
  • Newsvine
  • Yahoo! Bookmarks
  • Twitter
  • Stumbleupon
• E-mail
• Print

The vulnerability, which affects only Internet Explorer 5.01, could allow attackers to set up faux Web servers or send malicious e-mails that would compromise people's PCs when they click on a URL (uniform resource locator), security researchers revealed last weekend. Microsoft confirmed the issue and said it's investigating the problem.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The discovery of the vulnerability confirms that the Windows source code that was leaked last week can be used to find flaws in Microsoft's software. File traders and security researchers spread two 200MB files containing the code across the Internet, and it's unlikely that Microsoft will be able to curtail the effects of the leaked code.

"On the good side, all of the (leaked) software is from before Microsoft started the Trustworthy Computing Initiative--it's old code," said Thor Larholm, senior security researcher at software firm PivX Solutions. "On the bad side, this definitely shows that there is potential for some critical vulnerabilities to be found because of the leak."

Larholm also pointed out that a lot of the leaked code, which is at least 2 years old, has been included in the latest version of Microsoft's operating system.

A security researcher, who only identified himself by the initials "gta," posted information on the vulnerability to several security mailing lists. Less than 10 percent of Internet users browse with the vulnerable Internet Explorer, according to data from Web analytics firm WebSideStory.

Microsoft fixed the issue in later versions of Internet Explorer without telling consumers, a practice known in security circles as the "silent fix." Patching is always good, but the company should make sure that it informs the end users, said Chris Wysopal, vice president for research and development at digital security firm @Stake.

"I just wonder how it was communicated to end users that they should upgrade," he said.

Wysopal sees a positive side to the discovery, however. The vulnerability's limited effect should be a testament to Microsoft's Trustworthy Computing Initiative, he said.

"The big issue (for the initiative) is whether Microsoft has been able to find vulnerabilities in its code base," he said. "Now, we have an example of at least one (issue) that they have been able to fix."

Most Popular

Latest tech news headlines

• Network security makes a quantum leap

  Posted in News - Security by Tim Ferguson

  October 13, 2008 7:48 AM PDT

• The Linux opportunity buried in the Unix market share data

  Posted in The Open Road by Matt Asay

  October 13, 2008 7:07 AM PDT

• Add 2.1-channel speakers to your laptop for $19.99

  Posted in The Cheapskate by Rick Broida

  October 13, 2008 6:42 AM PDT

• See all headlines