Another week, another Microsoft Internet Explorer vulnerability. This one, according to several Internet security firms, involves the way IE handles “name” and “src” attributes in iFRAMEs, which means all a user has to do is visit a Web page with IE and – unless they’re a Windows XP user with Service Pack 2 installed – their computer can be compromised.
The flaw impacts programs using the MSHTML rendering control from IE, including e-mail programs, AOL, and Lotus Notes, the security companies said, adding that this bug is particularly serious because working code is believed to have been sent already to a number of large mailing lists, causing “hundreds” of attacks in the past 24 hours.
Online publication eBCVG has said the term YAIEV (Yet Another Internet Explorer Vulnerability) has begun making the rounds of security newsletters and discussion groups, thanks to the plain volume of IE flaws being spotted and reported in recent months.
“The case against Microsoft's IE software has been growing of late,” the publication said. “Proportionately, though, users and security professionals are becoming more and more aware of the requirement for Windows XP users to upgrade to SP2, as it has protected against nearly all of the recent vulnerabilities in Microsoft's flagship browser.”
Other reports indicated Microsoft planned an announcement later November 5 on a full evaluation of the flaw and how the company will handle it, though the company may be expecting to need as much as five days to build a proper patch.
Because the iFRAME code is crucial to numerous applications, eBCVG said, it could need extensive testing to make sure it doesn’t compromise corporate or Web applications.
