By Paul F. Roberts
August 30, 2005
Microsoft is investigating another critical hole in its Internet
Explorer Web browser.
The hole, if left unpatched, could allow remote attackers to take
control of Windows XP machines running Service Pack 2 and Internet
Explorer 6 using silent attacks that are launched from malicious Web
The remotely exploitable hole can be used to compromise fully patched
Windows XP SP2 computers and there is no way to block attacks,
according to Tom Ferris, the independent researcher who found the
News of the critical, unpatched hole comes just weeks after a report
on another critical Windows hole  from Ferris, who uses the online
"It's a pretty nasty flaw," Ferris said on Tuesday.
"If a user visits a malicious Web site, the [attack] code can be
executed without them even knowing about it=97there's no pop-up or crash
screen," he said.
Microsoft Corp. acknowledged in an e-mail that it received Ferris's
report and is "aggressively investigating" the flaw.
The Redmond, Wash., company is not aware of attacks that try to use
the reported vulnerabilities or of any customer impact, according to a
Ferris declined to give details about where in IE he found the hole,
but said it is not a variant of other known flaws in the widely used
"It's not like any other flaw in IE=97it's definitely different," Ferris
Ferris, an independent security researcher who lives in Mission Viejo,
Calif., and operates the SecurityProtocols.com Web site, said he told
Microsoft about it on Aug. 14 using the firstname.lastname@example.org e-mail
address and has exchanged e-mail with a company researcher since then,
but hasn't heard anything from the company in a week.
He said staff at Microsoft appeared to be struggling to understand the
"I've given them more than enough information to understand it =85 but
they keep asking for more details," he said.
Ferris did not provide proof-of-concept code that shows how the hole
can be used to gain remote access to affected machines, but did
provide proof-of-concept code that crashes IE.
"It's a blatant access violation crash," he said.
Microsoft said it would take action to address Ferris's report when it
completes its investigation.
If Ferris's reported vulnerability holds up, possible remedies could
include an unscheduled security patch or a patch released on the
company's regular monthly schedule, according to the Microsoft
Ferris hasn't tested the hole on other versions of Windows XP or
Internet Explorer and doesn't know if it will work on other versions
of those products.
He said he doesn't believe that other people have discovered the hole,
though he acknowledged that he might not be the only researcher who
had discovered it.
Windows XP SP2 users who also use Internet Explorer Version 6 have few
options for protecting themselves from attacks that use the
Changing the Internet Explorer security settings will not stop attack
code from executing on affected systems, and firewall and host
intrusion detection products that Ferris tested did not detect the
exploit, he said.
Ferris suggested IE users concerned about being attacked using the
flaw should switch to other Web browsers until Microsoft has patched
Microsoft encourages security researchers like Ferris to follow
"responsible disclosure" practices and not to publicize holes before a
patch is available.
Ferris said he is aware of the company's position and considers
himself in a "grey area," because he has not released any details
about the vulnerability he found.
Ferris said that he publicized the existence of a hole to warn IE
users, who might consider refraining from using the browser until the
hole is fixed.
Sept 16-18th, 2005
San Diego, California