Security researchers say a newly discovered flaw in Microsoft’s Internet Explorer (IE) browser could enable a remote attacker to download malicious content to a computer without triggering the warnings that usually accompany such downloads.
The lack of warning could enable an attacker to use specially written HTML Web pages to install spyware or other unwanted programs to a machine without the user being aware of it. In some cases, the machine could then be disabled or utilized in further attacks.
Word of the flaw became public over the week after being posted to the Bugtraq security discussion list by a self-described security researcher by the name of “Rafel Ivgi.”
Symantec Corp. later issued an advisory based on the publication of the flaw. The company said that IE’s download-detection function can be overridden by certain combinations of coding that includes an automatic download function and other HMTL coding tags.
The new apparent vulnerability comes after security firm Secunia released word of several “critical” flaws in the browser’s code about a week ago.
Some researchers claim the more recently reported flaw, which affects IE version 6.0, can still be exploited in Windows XP machines even after Service Pack 2, which was meant to tighten security in Microsoft’s flagship software and its still-dominant Web browser, is installed.
However, Microsoft called the early reports of the flaw “inaccurate and misleading” and again urged security researchers and others to follow standard practice for reporting, which calls for the software maker to be notified first before a vulnerability is made public.
Eroding Browser Edge
Analysts say even the suggestion of more security woes with IE is bad news for Microsoft, which is seeing its market share erode in the browser market.
WebSideStory now estimates that IE controls 90.6 percent of the browser market, down from more than 95 percent in mid-2004. Showing especially strong growth is the open-source Firefox browser, which WebSideStory said saw a 34 percent jump in usage during December.
In fact, Secunia’s recent warnings of IE flaws came with a recommendation that users adopt alternative browsers.
Microsoft recently released new patches for other known Windows flaws and released a new tool that lets users remove malicious software from their computers.
Addressing the Threat
Microsoft has reportedly been working on a number of updates to IE that would help bridge the gap until Windows successor, Longhorn, is released. Microsoft also recently began to cobble together third-party enhancements to its browser at its online download center.
Enderle Group principal analyst Rob Enderle said if current trends continue, Microsoft might have no choice but to substantially upgrade its browser in order to answer much stronger competition from Firefox and others. A new version of the Netscape browser that Microsoft displaced for market dominance is also in the works.
“Microsoft doesn’t like to leak out its innovations in little pieces, but they might have no choice but to do something in the interim,” Enderle said.
Some analysts say Microsoft might feel an increased sense of urgency if their share of the browser market dips below the 90 percent level, which could happen as soon as this month.