Fresh flaw for Internet Explorer

News

Fresh flaw for Internet Explorer

Another security flaw identified in Microsoft's Internet Explorer 5.5 and 6.0 Web browsers has the potential to give a remote user access to a host computer, according to security company Online Solutions.

The attack exploits Internet Explorer's built-in gopher client. Gopher is a protocol for accessing files over the Internet that has been largely superseded by Web pages.

The gopher code contains an exploitable buffer overflow bug, which a malicious server may use to run arbitrary code on an IE user's system, Online Solutions said.

The attack can be launched via a Web page or an HTML mail message, which redirects the user to a malicious gopher server when the user views them. The exploiter could do anything that a regular user could do on the system - retrieve, install, or remove files, upload and run programs.

IE users can protect themselves from the flaw by disabling the gopher protocol and, since very few gopher servers still exist on the Internet today, this is unlikely to cause operational problems, the company said.

Online Solutions said it had informed Microsoft of the vulnerability on 20 May and that Microsoft has indicated it is working on a patch.

Until a patch is released, Online Solutions suggests users follow a simple way to disable processing and displaying gopher pages by defining a non-functional gopher proxy in Internet Options.

Users should; select Tools -> Internet options -> Connections; click on "LAN settings"; check "Use a proxy server for your LAN"; click on "Advanced..."; in this area where users can define proxy servers to be used with different protocols, go to the Gopher text field and enter "localhost", and "1" in the port text field.

This will stop Internet Explorer from fetching any gopher documents, the company said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy