It has been a rough year for Microsoft. And for the users who haven’t yet switched to XP, or upgraded using SP2. Almost every month brought a new vulnerability in some version of IE. There were notably fewer in XP+SP2 than in other combinations. For those still using some flavour of 9X, NT or 2000, the wait for a patch has been a long, painful one.
The patch for the infamous IFRAME buffer overflow was posted on December 1st, 2004, almost one month after it was reported, in the form of the MS04-040 security update.
Today, exactly one week after MS04-040, Secunia Research has announced yet another vulnerability in IE, affecting IE 5, 5.5 and 6, on various operating systems, XP+SP2 included. In their own words: “Secunia Research has reported a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to spoof the content of websites.”
Luckily, this vulnerability is not a critical one. But it will be no doubt a nice addition to scammers bag of tricks, trying to lure you into filling out online forms on fake sites which claim to be eBay.com or your e-banking interface.
Because it’s not a critical vulnerability, it means we probably won’t be seeing an epidemic based on this flaw, but beware of scam and phishing e-mails relying on this trick. Moreover, because this is not just an IE vulnerability, many other browsers are affected as well, increasing the potential for abuse.
You can see all vulnerability advisories on the Secunia site.