A flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned.

The flaw, which also affects systems running Windows XP, is found in the default installations of Microsoft's IE, according to an advisory released by the security company on Thursday.

"The flaw is not wormable but allows for the remote execution (of code) with some level of end-user intervention," said Mike Puterbaugh, eEye's senior director of product marketing.

The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE.

The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2.

Microsoft's Windows XP with SP2 is designed to make it more difficult for attackers to run malicious software on users' computers.

A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.

eEye has provided Microsoft with details about the flaw, but the security researcher does not release details to the public until a vendor has developed a relevant patch or issued an advisory.


c/net NEWS.COM

... deja vu all over again ...

old news to me , and according to what i read here the security update was suppost to go out this month but was postponed to next month seems they have trouble fixing it and it needs "further testing"

edit oops just looked at the "One patch due in Microsoft's monthly security update")." in the article and noticed its related to another flaw but not on ie my bad

So don't worry about it one of these days Microshit will fix it.

One word will fix it permanently....Firefox!

One more reason why I use FireFox.

FIREFOX VULNERABILITIES............

http://it.slashdot.org/article.pl?sid=05/09/16/182232

Personally I thought it was pretty funny when people thought using Firebox meant they would never be exposed to another vulnerability on the net again. Well, as with any popular software, Firefox has become a major target for vulnerabilities now also.

Oh I don't claim immunity from this stuff, but I dislike how integrated IE is into Windows.

Personally I thought it was pretty funny when you thought that those promoting Firefox did so because YOU thought they thought it meant they would never be exposed to another vulnerability on the net again...

Yes FireFox can also be exposed to vulnerabilities. They never clamed it can’t be and was immune to all vulnerabilities but at least if any are discovered they are patched strait away most of the time in a few days in FireFox and not in a few months like MS do with IE.

You say patch, I say workaround - http://club.cdfreaks.com/showthread.php?t=149031 Its all the same shit really. Once Firefox hits the usage rate IE has, Exploits will become more common with FF and patching/workarounds will become slower.

http://johnny.ihackstuff.com/index.p...content&id=429
is one of the best site's for flaws.
the site is for poeple to know what flaws are out there and to make sure you fix it or watch it {fix it if you know how}

I use Firefox plus http://www.pivx.com/ I have no idea if PreEmpt is really doing anything but I rather waste a few $

the IDN spoofing vulnerability in FF has been known since February '05 (just google "network.enableIDN" or "network.IDN_show_punycode") BUT while i agree "fixes" will become slower as time goes on, it will NEVER be as slow as IE and MS' fixes...this is due to the community based support system that the Mozilla foundation relies on...very similar to how DRM is developed by one company and easily hacked by the multitude of users around the world in a fraction of the time it took to develop/implement/deploy...it's undeniable that the knowledge and capabilities of an infinite support system surpass that of even the MS goliath....especially since goliath wears a ten-ton backpack around (read: helluva lot of other stuff to worry about at the same time)...

i pointed out in the other browser fan-boi thread that (at that time of posting) Secunia lists 85 security vulnerabilities for IE of which 20 were unpatched, 21 for FF of which 3 were unpatched and 8 for Opera of which 0 were unpatched...now which browser has been around the longest? has the most money behind it? should be patched the quickest? oh right, it's IE

http://club.cdfreaks.com/showpost.ph...&postcount=127

p.s. above numbers have changed since original posting...but not by much...

see these links:

MS IE - http://secunia.com/product/11/ (now 19 or 85 unpatched)
Mox FF - http://secunia.com/product/4227/ (now 3 of 22 unpatched)
Opera - http://secunia.com/product/4932/ (still 0 of 8 unpatched)

so in the span of 3 weeks, MS addressed 1....

Don't forget that the integration of IE into Windows means that many flaws tend to be very serious.

There are some like myself who are not affected by this.
Although IE is still my main browser the "default installation" is long gone and replaced by personal lock down configurations. No ActiveX or Active Scripting is allowed to run on my system. Java permissions have been revoked. Similarly META REFRESH is disabled as is IFRAME access. These are only permitted on Trusted Sites.

Honestly, there are no software on my system with "default installation". Everything is personally configured. IE is no different.

It is no doubt possible to configure IE so as not to be vulnerable BUT
(1) I doubt if the average user has the necessary level of skill and knowledge to be able to do this, and
(2) locking down to this degree means (a) the many of the "features" of IE go unused and (b) Interaction with many sites is no longer possible without a good deal of reconfiguring.

Perhaps IE 7 will provide both security and easy of use ?

Don't make me laugh!!!

I only wrote "perhaps" In the meantime Firefox plus extensions is fine for me

Actually, no skill level is required and there are sites with lock down tutorials for those who are truly interested.

The only thing missing is exploitable content.
ActiveX controls are dangerous and unsafe, I don't need web sites running unknown scripts and codes on my system so Active Scripting is disabled. Java has long been exploitable and is not allowed in IE, Opera or Firefox. Garbage contents such as shockwave flash are not desireable as that's also exploited.
For the more advanced exploits disabling META REFRESH prevents redirections and IFRAME excludes external objects.

There is nothing that I'm missing here. If interaction on a web site is dependent on exploitable contents then I'll simply find another. If it happens to be a web site that I trust, such as Windows Update, then I simoly click on Tools>>>Add to Trusted Zone and with a simple mouse click the site is added to my list of Trusted sites where all contents are allowed to flourish. Conversely, if a site is known to contain harmful content then a simple click, Tools>>>Add to Restricted Zone prevents that site from even setting a cookie.

Whenever I build a system IE can be completely locked down in under two minutes. Service Pack 2 already reconfigures the security settings to exclude most ActiveX controls, so all that's required for most users is to configure the acceptance of Active Scripts. The secure setting is "disable".

So I'm not missing anything except that which can harm my system, yet the system is locked down against virtually all vulnerabilities. My teenage son can surf the most notorious porn sites without exploits and hijacks. Worries eliminated. Yet my wife can do her online banking using the only web browser permitted by her bank, and that is IE.

So I, like some others, am not really affected by exploits and vulnerabilities as we don't run "default installations".

I think we are "talking" at cross purposes here. I'm not saying IE can not be made safe. You may be able to build a system IE ...... in uder 2 minutes but I do not believe that the vast majority of users can.

Perhaps the "default installation" needs to be "not allowed" unless permission is given ? In much the same way as the windows Firewall is enabled until the user disables it ?