IE 5.5 exploit evades security feature

Bug hunter tracks down yet another vulnerability in Microsoft's Internet Explorer

The latest in a long line of bugs to hit Microsoft's Internet Explorer will allow unauthorised access to files on a victim's computer, according to respected Bulgarian bug-hunter, Georgi Guninski.

The "IE 5.5 Cross Frame security vulnerability" uses JavaScript, a Web page scripting language, to bypass security features built into Internet Explorer. It allows the contents of a file to be sent back to Web server when a page containing the mischievous JavaScript is visited.

Guninski outlines this vulnerability on his Web site where he also provides a demonstration of the exploit in action. Although Microsoft is reportedly working on a fix, there is currently no patch. Guninski recommends users disable active scripting to be safe.

Security has become something of a regular concern for Microsoft's Internet Explorer browser and some experts believe this latest issue is an especially serious problem.

"It is very significant because cross site scripting was touted as a new security feature," says Greg Jones, senior security engineer with consultancy firm Information Risk Management. "They've [Microsoft] dug their own grave, to an extent."

The bug might also leave Microsoft particularly red faced considering that the software giant recently released Advanced Security Privacy, a Beta program designed to increase the security of Internet Explorer 5.5 and give users greater control over tracking features such as cookies.

Security experts stress the particular security hole poses only a minimal threat to Internet users. However, it may be better to be safe than sorry, they say. "You need to keep up to date with the news," advises Deri Jones, marketing manager for DTA Monitor. "The only way [companies] can really find out whether they are secure is to get security tested. That is where the rubber hits the road."

Take me to the Hackers News Special

What do you think? Tell the Mailroom m And read what others have said.