Microsoft security has been bypassed again, according to a security researcher who claims to have found an unpatched hole in - yes - Internet Explorer that allows a remote attacker to download malicious content onto vulnerable systems.
Microsoft however has refuted the claims and said the feature in question is working as designed. "Microsoft is disappointed that an independent security researcher has posted a false claim on several newsgroups alleging that the automatic blocking feature of Internet Explorer in Windows XP SP2 fails to function properly. These postings are inaccurate and misleading to customers," the company said in a statement.
The hole was identified on the Bugtraq Internet security discussion list by Rafel Ivgi - a security consultant for Finjan software and a regular hole-discoverer by the name of The Insider. The hole affects Explorer version 6, including the version released with Windows XP Service Pack 2. It allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML Web document.
Symantec issued a vulnerability alert about the hole late on Friday and cited Ivgi. According to the Bugtraq message and Symantec alert, an IE feature designed to catch references to file downloads does not detect a particular HTML event, known as "onclick," when it is combined with the common HTML tag, which designates the beginning and ending of the main part of a Web page.
Malicious Internet users could use the onclick event in combination with another function called "createElement" to create an IFRAME, or "inline frame," which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the IFRAME to a malicious Web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Symantec said.
There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec said.
IE users are advised to avoid links provided by unknown or untrusted sources, to keep from being lured to a malicious Web site. IE users can also configure the browser to disable the execution of script code and active content, though doing so could have adverse effects on the way IE functions, Symantec said.
According to Microsoft, the issue described in the Bugtraq alert is not a security problem. In fact, Internet Explorer for Windows XP SP2 does display a security warning in the scenario described in the warning: a dialog box instead of the information bar. "And that is what it is supposed to do," said Kevin Kean, director of the Microsoft Security Response Center.
"We have examined the proof of concept code that Ivgi included and analysed that. Internet Explorer does what we would expect it to do, it brings up the dialog box for the download, there is no vulnerability," Kean said.
The news comes just three days after Microsoft issued software patches for several serious Windows security holes and released a new tool that lets users remove malicious software from their PCs, and amid increasing competition in the Web browser market from the Mozilla Foundation's Firefox browser.