You are here  IT Management Risk Management

Windows leak reveals Explorer vulnerability

Wednesday 18 February 2004 04:11

A bug hunter claims to have uncovered a security flaw in Microsoft Internet Explorer 5 after studying Windows source code leaked last week.

The vulnerability allows an attacker can gain control over a user's computer by using a specially crafted bitmap file. When loaded using IE 5, the file will trigger an overflow error and allow the attacker to run arbitrary code on a victim's machine, according to the SecurityTracker.com website.

The flaw was uncovered by reviewing IE source code that was part of a larger Windows code leak last week and exists in all versions of IE 5 for all Windows versions.

Vulnerable versions of IE are used by millions of internet users. Web tracking company WebSideStory estimated the the figure could be around 16% to 17%.

Thor Larholm, senior security researcher at PivX Solutions, investigated the report and tested code to exploit the flaw.

The IE 5 problem proves the security implications of the code leak, where a malicious coder could take advantage of the source code to find security holes, Larholm said. "This has definitely proven the potential for critical vulnerabilities."

Microsoft began investigating the vulnerability report on Monday. The company already knew of the security problem and had fixed it in IE 6.0.

Microsoft urges IE 5 users to upgrade to IE 6.0 with Service Pack 1. However, IE 5.01 with Service Pack 2 is still supported, according to Microsoft's product support web page. The company is working on a patch for this and other versions of IE predating IE 6.0 and is investigating why it did not fix the vulnerability in those versions before.

Last week, Microsoft said that incomplete portions of its closely guarded Windows NT and Windows 2000 source code, the blueprints of the operating system software, had been leaked on the internet.

Analysts and security experts at the time warned that a breach of the Windows source code could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they could exploit.

Joris Evers writes for IDG News Service