A new vulnerability in Microsoft’s Internet Explorer Web browser that could deceive Web users into downloading malicious files has been reported. The hole was identified in version 6 of IE, but previous releases also could be affected.
Specifically, the vulnerability allows a site owner to misidentify a downloadable file, so a malicious file can appear as one that is secure. For example, site visitors may believe they are downloading a PDF file while actually bringing a self-executing worm onto their computers.
The flaw, reported by Danish security services company Secunia, could be more effective if used in combination with another IE hole discovered last month, also by Secunia. That vulnerability enables hackers to spoof known sites by displaying a false Web address on a fake site, thereby tricking users into handing over financial data or other personal information.
Secunia’s security advisory includes an online test demonstrating how the flaw could be exploited.
In a support document, Microsoft announced it will release a software update to IE and Windows Explorer to disable use of certain syntax in HTTP URLS, but the company did not provide a release date for the patch.
Browsing Without Confidence
Secunia has reported multiple IE flaws in the past, including system compromise vulnerabilities, problems with local zone access and exposure of installed components.
The company’s CTO, Thomas Kristensen, told the E-Commerce Times that he thinks exposing such flaws is important because users deserve to browse without needing to be continually suspicious.
“It’s very important for the normal user to have IE be safe,” he said. “The user needs to be able to trust what he sees and to know that the browser is behaving properly.”
Although Microsoft announced it is working on a software update, Kristensen said he believes the company will not be able to get one out the door in the next few weeks.
“I don’t think we’ll see a patch for this before March,” he said. “They won’t be able to make it in time for their February release.
“Their quality control procedures are too complicated for them to get a patch done soon,” he added. “They have to do tests in multiple language versions, and that takes a great deal of time. You rarely see them rush a patch through.”
Microsoft has yet to issue a patch for the other spoofing flaw discovered by Secunia at the beginning of December, though it did post a bulletin with tips for avoiding spoofed sites.
The patch delays could be the result of a Microsoft policy instituted last year, in which the company stated it had decided to compile fixes in a monthly release rather than distribute updates as they are completed.
Tough To Lock Down
Microsoft has said it is investigating the file-name spoofing vulnerability, but the company has not disclosed whether a patch will become available at the same time as the patch for the IE spoofing flaw discovered last month.
Aberdeen Group analyst Peter Kastner told the E-Commerce Times that althoughMicrosoft is often criticized for patch delays, he believes the company should be given some leeway on the issue.
“You’re not seeing a whole lot of functionality creeping through the micro patch process,” he said. “Whenever a security flaw is found, they fix it as quickly as possible and push it out.”
He added: “It would be nice if Microsoft made bug-free code, sure. But you’re talking about a lot of code. It’s impossible to have it be perfect.”