Among the six new flaws are three whose threat Microsoft has designated as "critical" for client systems.
The first vulnerability, which was originally addressed by the company in June of this year, could enable an attacker to take any action on another system that the system's legitimate user could take. The problem stems from an Unchecked Buffer in Gopher Protocol Handler.
The Gopher protocol is a legacy protocol that provides for the transfer of text-based information across the Internet. An unchecked buffer exists in a piece of code that handles the response from Gopher servers, making it possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Another flaw that poses a "critical" threat is a buffer overrun in legacy text formatting ActiveX control. The vulnerability, discovered by Next Generation Security Software could allow an attacker who successfully exploited it to gain the ability to take any action on a user's system that the user himself could take. This could enable the attacker to run programs, communicate with web sites, reformat the hard drive, or take other actions.
Such an attack could be exploited by hosting a specially constructed web page on a web site, or by sending such a web page to another user as an HTML mail.
According to Microsoft's report, for an attack of this manner to occur, the user would have to allow ActiveX controls to run on the user's system. In IE's security settings, by default, web pages in the Restricted Sites Zone cannot run ActiveX controls. This turns out to be significant in the case of an attack via HTML mail vector, as by default, some programs, such as Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone.
The final threat can allow one web site to access information in another domain, including the local system, making it possible for a web site to read files on the local file system that can be rendered in a browser, or to invoke executables on the local file system.
The vulnerability is caused by improper cross-domain verification when the Object tag is used in a particular manner.
The remaining three less serious IE flaws are: a vulnerability that could, under certain conditions, enable an attacker to read certain types of data files on another user's system; a vulnerability that could enable an attacker to misrepresent the origin of a file offered for download; and a new variant of a vulnerability that could allow an attacker to cause script to be run in the Local Computer Zone.
A patch covering all of the newly discovered vulnerabilities is available for download here.
The software giant, who has been plagued with security flaws, also released another "moderate threat" warning about an unchecked buffer in Network Share Provider that could allow an attacker to crash the system of a target machine by sending a specially crafted packet request to a computer. Patch information for this vulnerability, which affects Microsoft NT 4.0 Workstation, Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server and XP Professional is available here.
Microsoft additionally released a new vulnerability patch to its Service Pack 2 for Office XP, initially released earlier this week, addressing Three vulnerabilities in several ActiveX controls in Office Web Components, the most serious of which could allow an attacker to run commands on the user's system. Each of the vulnerabilities is caused by implementation errors in specific methods and functions the controls expose, and could be exploited either via a web site or an HTML mail. SP2 is available for download here.