Microsoft warned over 'high' security risk to IE

Microsoft has been called to fix two potentially serious security flaws in Internet Explorer and Outlook that could let a hacker take control over a system when a user clicks a Web link.



Software firm, eEye Digital, said on Friday that the new security holes contained in the software giant's browser and e-mail products are rated as "high risk," prompting Microsoft to launch an immediate investigation.



Although the exact Windows versions running the flaws are not yet known, eEye specified that most current versions are vulnerable, as are the e-mail clients Outlook and Outlook Express.



The US firm added that while no self-propagating virus or worm could exploit the flaws, there is a capability for Trojans and malicious programmes to gain back door entry into a PC.



They said reports of the security flaws were privately handed to Microsoft at the end of last week, where upon the company vowed to develop a patch to fix the problem.



Since the alert, eEye has announced it has continued its own lab tests, but will not release any further details of the infected Windows versions until its vendor provides a patchable solution.



Marc Maiffret, co-founder and chief hacking officer eEye, said that initial testing found no active programmes to exploit the flaws, but acknowledged that one could exist.



He said that testing would continue to determine the extent of the problem for each version of Windows, but maintained that "all details" would remain private.



A Microsoft spokesman has since confirmed that no malicious code exists to exploit the security holes found in IE or Outlook, and said the company was committed to protecting its users at the first opportunity.



Whether this will mean Microsoft will release an out-of-cycle patch or simply include a fix in its next service pack is yet to be disclosed.



eEye warned that whichever remedy is selected, Microsoft operators should be on their guard, as exploiting the flaws requires minimal action and arouses no suspicion from computer users.





















Apr 04, 2005