Windows source code leak leads to IE hole

A bug hunter claims to have uncovered a security flaw in Microsoft's Internet Explorer (IE) 5 Web browser by studying Windows source code that was leaked last week.

The vulnerability allows an attacker gain control over a user's computer by using a specially crafted bitmap file. When loaded using IE 5, the file will trigger an overflow error and allow the attacker to run arbitrary code on a victim's machine, according to a description of the flaw posted Sunday on the Web site.

The flaw was uncovered by reviewing IE source code that was part of a larger Windows code leak last week and exists in all versions of IE 5 for all Windows versions, according to the description.

Vulnerable versions of IE are used by millions of Internet users. As of Feb. 16, 17 percent of Internet users worldwide had some version of IE 5 installed, according to San Diego-based Web tracking company WebSideStory Inc.

Thor Larholm, senior security researcher at PivX Solutions LLC in Newport Beach, California, confirms the vulnerability. He investigated the report and tested code to exploit the flaw.

The IE 5 problem proves the security implications of the code leak, where a malicious coder could take advantage of the source code to find security holes, Larholm said. "This has definitely proven the potential for critical vulnerabilities," he said

Microsoft began investigating the vulnerability report on Monday, the company said in a statement. The security problem is a known issue that the Redmond, Washington-based vendor discovered internally before and fixed in IE 6.0, according to the statement.

Microsoft urges IE 5 users to upgrade to IE 6.0 with Service Pack 1. However, IE 5.01 with Service Pack 2 is still supported, according to Microsoft's product support Web page. The vendor is working on a patch for this and other versions of IE predating IE 6.0 and is investigating why it did not fix the vulnerability in those versions before, a Microsoft spokesman said Tuesday.

Microsoft last week said that incomplete portions of its closely-guarded Windows NT and Windows 2000 source code, the blueprints of the operating system software, had been leaked on the Internet.

Analysts and security experts at the time warned that a breach of the Windows source code could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they could exploit.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about MicrosoftNewportWebSideStory

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joris Evers

Latest Videos

More videos

Blog Posts