Microsoft has issued a security
advisory warning of a "critical" flaw in its Internet Explorer
Browser.
It
also sent out a second advisory highlighting a less severe problem
with its Windows XP operating system.
The
Internet Explorer vulnerability stems from a security function in
the software designed to stop one domain, such as a website, from
sharing information with another domain. Microsoft discovered that
such information sharing could occur when certain dialogue boxes
are used.
An
attacker could create a web page that uses the flaw to run
malicious code, possibly in the form of an executable file, on a
computer used to visit the page. A related vulnerability allows an
attacker to access a user's system via HTML pages that display help
content.
The
company recommended that users with Internet Explorer versions
5.01, 5.5, and 6.0 download a patch for these problems. The
security bulletin, including links to the patch, is at
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-004.asp.
The
second warning, for Windows XP, concerns a problem in the Windows
Redirector software, which is used to access local and remote
files.
Microsoft warned that, by sending bad data to the Redirector, a
hacker could cause a system failure or, if the data were crafted in
a particular way, run malicious code on the user's computer.
The
flaw in XP cannot be exploited remotely and an attacker would need
the ability to log on to a system to run programs that use the
Redirector. Nevertheless, it said users should consider installing
its security update for the problem and rated it an "important"
issue.
The
security bulletin, including links to the patch, is at
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-005.asp