Unpatched IE flaw allows remote attacks

Microsoft is yet to offer a patch for a public flaw in Internet Explorer 6 that could allow malicious code to be executed remotely

A flaw in Microsoft Internet Explorer's image rendering capabilities may allow attackers to execute code remotely, according to security experts.

Security consultant and author Michal Zalewski has found a number of possible flaws in the way IE handles JPEG images, one of which he claims could be exploited for remote arbitrary code execution — a type of attack that is generally categorised as critical by security vendors.

Four proof-of-concept images that can exploit these flaws have been made available by Zalewski. Each of these crashes IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2. Previous versions of IE may also be affected, said SecurityFocus. Two of the exploit images also cause memory and CPU problems.

Zalewski did not report this bug to Microsoft before publishing it, due to the problems he claims to have experienced with the software giant's bug-reporting process.

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice," said Zalewski in a posting on security site Neophasis.

"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a spokesperson said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."

Earlier this week, another image-processing security vulnerability that affected both IE and MSN Messenger surfaced. That bug was caused by vulnerability in the way the applications handle International Color Consortium Profiles, but that was fixed by Microsoft in their last set of patches.

More information on the flaws can be found on the SecurityFocus Web site, under bug number 14282 and 14284.