Only three days after the official release of the first service pack for Microsoft's Internet Explorer 6.0 web browser, security experts are raising concerns about security vulnerabilities that were not addressed by the company.
The patch release, known as "Service Pack 1" was posted Monday on Microsoft's website and contains fixes for more than 300 issues with Internet Explorer 6.0, which was first released with the Windows XP operating system in October 01. Despite the fixes, however, security experts warn that significant vulnerabilities remain even after applying the patch.
"Security-wise, I would say it's pretty bad right now," says Thor Larholm, a security researcher for Pivx Solutions LLC, a US security consulting company.
"You can do anything to anyone's web page with Internet Explorer 6.0. It's wide open to anyone."
Top among Larholm and other security experts' concerns are vulnerabilities that make it possible for attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's DHTML (dynamic hypertext markup language) Object Model. This governs the interaction of windows, dialog boxes and web page frames.
An advisory issued recently by the Israeli security company GreyMagic Software warns about the potential dangers when using Internet Explorer, including version 6.0 Service Pack 1, of hackers taking over web pages to gain access to visitors’ personal information.
And, experts say, because of the tight integration between Microsoft's Internet Explorer browser and its other Office products, such as the popular email program Outlook, there is no shortage of ways to trick unsuspecting users into visiting a web page that a hacker controls.
"This can be done in many ways," said Lee Dagon, a researcher at GreyMagic. "For example, some versions of Outlook Express and Outlook render emails sent in HTML format… this means that scripts can execute and therefore the vulnerability becomes exploitable by email," Dagon said.
While not all of the vulnerabilities Larholm identified are severe, he said that the sheer number of different security holes make it easy for attackers to move freely once they have gained access to a machine using Internet Explorer and running Windows.
"They all add up," Larholm said in reference to the security holes. "Some are mild, some are severe, but when you combine them, they can be devastating."
When asked for comment on the issues raised by Larholm and other security experts, a spokesman for Microsoft said that the company firmly believes it acts in the best interest of customers. It added that its security experts often reach different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.
Despite the vulnerabilities he found, Larholm still recommends that Internet Explorer users upgrade to Service Pack 1.
"If you're going to use Internet Explorer, I would recommend upgrading to Service Pack 1," Larholm said. "The vulnerabilities that exist in [Internet Explorer version 6.0] Service Pack 1 exist in the 5.0, 5.5 and 6.0 browsers too, and the improvements in Service Pack 1 are adequate to justify upgrading."