There were warnings today that flaws in Microsoft's IE (Internet Explorer) could allow attackers to take control of your system. Security researchers warned that one of the two proof-of-concept bugs affects the Firefox browser too.
Also this week, Microsoft rereleased a patch from two weeks ago that had interfered with users' dialup connections.
A researcher on the Full Disclosure mailing list warned of the two IE problems, the more serious of which could be used to trick users into executing code on their systems. The bug is in IE's handling of file shares, and could allow attackers to execute malicious HTA applications via a directory traversal attack, according to researchers.
Because exploitation requires users to double-click somewhere on a web page, some researchers, such as Secunia, gave this bug a moderately critical rating, while others, such as the SANS Institute, said it was more severe.
The second flaw involves the way IE handles redirections and could allow an attacker to access information from other websites in the context of the user, via the object.documentElement.outerHTML property.
"This vulnerability can be potentially nasty as attackers can use it to retrieve data from other websites the user is logged into (for example, webmail) and harvest user credentials," said SANS Internet Storm Center handlers in an advisory. "Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs."
Secunia confirmed the bug on a fully patched system running Internet Explorer 6.0 and Windows XP SP2, and published a vulnerability test based on proof-of-concept code published by researcher Plebo Aesdi Nael on the Full Disclosure list.
SANS ISC said it had confirmed the bug in Mozilla Firefox. While Secunia's demonstration doesn't expose the Firefox version of the bug, Nael's original proof-of-concept code can be exploited on the Mozilla browser, according to SANS ISC handlers.
Earlier this month, Microsoft released a patch fixing problems with routing and remote access, as detailed in Microsoft Security Bulletin MS06-025. On Tuesday, the company updated the patch to address problems with dialup connections and dialup scripting created by the original patch.
Researchers with the Metasploit Project released exploit code for bug MS06-025 a few days after the patch, causing Microsoft to warn users that attacks exploiting the vulnerability could be imminent.
This story first appeared on Techworld.com