Security hole hits patched Internet Explorer

A new vulnerability has been detected in Microsoft's Internet Explorer (IE) that could allow the execution of malicious code on systems running IE 5.5 and 6.0 of the browser.

The vulnerability effects versions 5.5 and 6.0 that have been patched with a security fix for a similar hole exposed in November by Finland-based security firm Oy Online Systems. Microsoft issued a patch for that hole, but the patch itself seems to have created a new glitch.

The latest hole was discovered by security researcher Georgi Guninski. This bug is in the Microsoft GetObject JScript function, and could allow a hacker to read local files on an affected user's computer, according to Guniski. By placing specially crafted script into a Web page or email, a malicious user could then execute arbitrary programmes on the compromised system, said Guninski.

Microsoft was alerted to the vulnerability on 11 December, according to Guninski, but has so far failed to publish a security bulletin or a patch for IE customers. When the previous security hole was disclosed by Oy Online Systems, Microsoft accused the company of irresponsible behaviour for making the details public before passing the details to Microsoft. Microsoft later apologised when it became clear that the company had provided details of the security hole one week earlier than Microsoft originally said it had.

The workaround solution that Gununski proposes for the latest security hole is to disable Active Scripting. "Better, do not use IE in hostile environments such as the Internet," his advisory warns.

Microsoft could not immediately comment.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.