ZDNet |UK| - News - Story - Security hole hits patched Internet Explorer

• Free newsletters
• ZDNet News on WAP
• Free downloads

Search ZDNet

What's hot on ZDNet

Sign up for FREE ZDNet newsletters
New, easy to use, newsletter shopping basket. Get some in for 2002
NEW: Find IT research here
For IT professionals who need hard information -- fast
New year, new job! Start here
All kinds of tech jobs on offer. Earn more, learn more, and realise your potential

ZDNet UK > News > Story

Security hole hits patched Internet Explorer

08:48 Friday 4th January 2002
Wendy McAuliffe

A patch issued by Microsoft for IE 5.5 and 6.0 closed one security hole in the browsers, but appears to have opened another one that is just as dangerous

A new vulnerability has been detected in Microsoft's Internet Explorer (IE) that could allow the execution of malicious code on systems running IE 5.5 and 6.0 of the browser.

The vulnerability effects versions 5.5 and 6.0 that have been patched with a security fix for a similar hole exposed in November by Finland-based security firm Oy Online Systems. Microsoft issued a patch for that hole, but the patch itself seems to have created a new glitch.

The latest hole was discovered by security researcher Georgi Guninski. This bug is in the Microsoft GetObject JScript function, and could allow a hacker to read local files on an affected user's computer, according to Guniski. By placing specially crafted script into a Web page or email, a malicious user could then execute arbitrary programmes on the compromised system, said Guninski.

Microsoft was alerted to the vulnerability on 11 December, according to Guninski, but has so far failed to publish a security bulletin or a patch for IE customers. When the previous security hole was disclosed by Oy Online Systems, Microsoft accused the company of irresponsible behaviour for making the details public before passing the details to Microsoft. Microsoft later apologised when it became clear that the company had provided details of the security hole one week earlier than Microsoft originally said it had.

The workaround solution that Gununski proposes for the latest security hole is to disable Active Scripting. "Better, do not use IE in hostile environments such as the Internet," his advisory warns.

Microsoft could not immediately comment.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

IE flaw puts credit card info at risk

IE 6 ready for downloading

Next	IDC: Modest IT growth this year
Previous	Five years ago: Intel 's MMX is finally out

Search for similar stories
Email this story to a friend

Printer friendly version

Prolink GeForce4 graphics card details leak out

Politician slams broadband uncertainty

Europe PC sales fade amid brighter trend

IMac hopefuls face longer waits

Recruiting crisis fuels Java wages

Dell plots push into enterprise services

News Schmooze: Goodbye Segway, hello flying exoskeleton

Wearable PC nears commercial launch

IP Network Architect
£65k - £100k, South East

More IT and Internet jobs...

	Stephan Somogyi Macworld redux: What still stands out
	Peter Judge Web services in poll position

More...

PCs, Printers, Palms, Notebooks -- get 'real time' prices from top UK resellers.

ZDNet NetBuyer -- for latest prices, reviews, and buyers guides.

News tip-offs
Email the news Editor

Mailroom
Got an opinion? Send your comments

News forum
Join the discussions

Report a fault
See a broken link? Let us know

Like the redesign?
...or maybe you don't. Either way, tell us how you feel

	Free Newsletters \| Free Stuff \| TalkBack \| Broadband Britain \| Update your PC \| ZDNet on WAP \| Terms \| MyZDNet
	Contact Us \| Your Privacy \| International \| Advertise \| Work for ZDNet