Microsoft investigates another IE flaw report | CNET News.com: “A new, unpatched flaw in Internet Explorer could let miscreants surreptitiously run malicious code on Windows PCs, according to the discoverer of the bug. The problem affects Internet Explorer 6 — the latest version of Microsoft’s Web browser — on computers running Windows XP with Service Pack 2 and all security patches installed.”
Here’s another one:
A security flaw has been found in the default installation process for Microsoft’s Internet Explorer, Outlook and Outlook Express, according to eEye Digital Security (see eEye: Flaw found in IE, Outlook installation by CNET News.com). A common thread with these applications is the potential for a buffer overflow, which in turn could allow an attacker to gain access to users’ systems remotely. Systems at risk with this flaw include those running Windows XP with Service Pack 0 or 1 and Windows 2000. (Check eEye’s vulnerability assessment report for details.)
Lo and behold, eEye found more flaws involving Internet Explorer and Windows XP with SP2 that could enable a remote attack on systems: IE flaw puts Windows XP SP2 at risk (CNET News.com). The flaw can be found in default installations of IE, according to eEye’s advisory.
These discoveries come just over a month after the jolly green software giant issued a cumulative patch addressing three vulnerabilities for IE. If you still use IE, you had better get this patch. One particularly nasty flaw is the way IE handles JPEG images — an attacker could commandeer a PC by crafting a malicious image and tricking the victim to look at it on a Web site or in an HTML e-mail.