A new security issue in Internet Explorer has been exposed by a Polish technical research group.
The unpatched bug exists in VBScript and allows hackers to plant malware on machines running Windows’ XP and the IE browser.
Hackers could exploit the help files in Internet Explorer, leading to “remote code execution,” said Maurycy Prodeus, a security analyst with Polish group iSEC Security Research, who found and logged the problem last Friday.
The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’
Prodeus added that “some user interaction is needed” to trigger the vulnerability. “Victim[s] have to press F1 when [a] Message Box popup is displayed”.
Microsoft admits it’s got a problem. “An issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box,” responded Microsoft’s senior Security Communications Manager Jerry Bryant on Microsoft’s security blog.
“The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types’. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.”
He added that, as of yet, the issue has not arisen on any other Microsoft OS.
IE has come under mass scrutiny over the past few months, after attacks on companies such as Google and Adobe revealed a security flaw in IE6 that could be exploited by hackers.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
