We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Internet Explorer still leaves door open to hackers

Researcher to reveal more flaws at Black Hat

Microsoft's Internet Explorer could inadvertently allow a hacker to read files on a person's computer, another problem for the company just days after a serious vulnerability received an emergency patch.

The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington DC on February 3.

The issue could allow a hacker to read files on a person's computer but not install other code. Nonetheless, the problem represents a serious security issue, Medina said. It affects all of Microsoft's operating systems from Windows NT through Windows 7 and every version of IE, including the latest one, IE8.

The hack works when an attacker lures a victim into clicking on a malicious URL (Uniform Resource Locator). Then, by manipulating four or five features in Internet Explorer, the hacker forces the browser to process files that are not pure HTML on the PC, Medina said.

Core notified Microsoft in 2008 of the attack, and the company introduced two different changes for the browser. Core describes the 2009 fix on its website, along with the 2008 fix.

Despite the fixes, Medina found ways to pull off the same attack. Since the issue involves features rather than vulnerabilities, it may be more difficult for Microsoft to permanently fix, Medina said. "Some of those features are kind of impossible to fix," Medina said.

Core has been working closely with Microsoft on the issue. Microsoft will next release patches on February 9, and it's not clear if the company plans on fixing the problem then.

Microsoft said on Monday that it is investigating. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact and believe customers are at reduced risk due to responsible disclosure," according to a statement.

The problem represents more woe for IE. Microsoft released an emergency patch on Thursday to repair a zero-day vulnerability that caused Google and more than 30 other companies to be hacked in the so-called Aurora attacks.

See also:

PC security advice


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

Watch this heartwarming Christmas short by Trunk for composer John Rutter

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad