We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

IE download flaw found

Hackers could bypass security warnings and download malicious content

A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.

The warnings came after the hole was identified on the Bugtraq internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2. The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML web document.

Microsoft was not able to comment on the hole in time for this story.

Security software company Symantec issued a vulnerability alert about the hole Friday and cited Ivgi, which also provided code proving that the hole existed.

According to the Bugtraq message and Symantec alert, an IE feature designed to catch references to file downloads does not detect a particular HTML event, known as "onclick", when it is combined with the common HTML BODY tag, which designates the beginning and ending of the main part of a web page.

Malicious internet users could use the onclick event in combination with another function called "createElement" to create an Iframe, or "inline frame", which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the Iframe to a malicious web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Symantec says.

There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec says.

IE users are advised to avoid links provided by unknown or untrusted sources, to keep from being lured to a malicious website. IE users can also configure the browser to disable the execution of script code and active content, though doing so could have adverse effects on the way IE functions, Symantec says.

The news comes just three days after Microsoft issued software patches for several serious Windows security holes and released a new tool that lets users remove malicious software from their PCs, and amid increasing competition in the web browser market from the Mozilla Foundation's Firefox browser.

Last Tuesday, the software company published security bulletins and patches for two critical holes, one in the Windows HTML Help system and the other in Windows code that handles cursor, animated cursor and icon formats.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite