Another week, another Microsoft Internet Explorer vulnerability to be discovered—this one, according to security experts, affecting even versions with the Service Pack 2 update.
Bugtraq and Symantec say an IE feature aimed at catching references to file downloads does not catch the HTML event "onclick," when combined with a common HTML tag designating the beginning and end of a Web page's main part, leaving attackers free to link the iFrame to malicious pages downloading malicious files to a user's computer when the page is clicked on—with no information bar warning.
Symantec, the makers of Norton Antivirus and SystemWorks, said in an advisory that there was no patch for that hole at this writing, and no specific exploit code is needed to take advantage.
Microsoft Security Response Center director Kevin Kean said in a statement that there was actually little if any vulnerability involved with the flaw. "We have examined the proof of concept code…and analyzed that," he said. "Internet Explorer does what we would expect it to do, it brings up the dialog box for the download, there is no vulnerability."
Microsoft, in fact, retorted that Bugtraq security researcher Rafel Igvi posted a false newsgroup claim that the automatic blocking feature malfunctions. "These postings," said a company statement, "are inaccurate and misleading to customers."
