Microsoft Investigating New IE Flaw

Microsoft says it is investigating a report of a new vulnerability discovered in Internet Explorer that stems from XmlHttpRequest, a JavaScript object used in AJAX Web applications such as Google Maps. In an advisory, security firm Secunia says the flaw affects IE6 on a fully patched Windows XP SP2 system.

According to the initial paper detailing the problem written by Amit Klein, Internet Explorer can be fooled into running arbitrary HTTP requests. "IE doesn't validate some critical fields that are provided by the user," Klein said.

"Input passed to the method parameter in the "open()" function in the "Microsoft.XMLHTTP" ActiveX control isn't properly sanitised before being used," Secunia explained. "Successful exploitation requires that the HTTP request is sent to a server or via a proxy allowing tab characters instead of spaces in certain parts of the HTTP request."

In a statement, Microsoft said it was looking into the vulnerability, but was not aware of any attacks exploiting the flaw. As per its standard security policy, the company may issue an update as part of its monthly Patch Tuesday or provide an emergency fix.

Secunia has labeled the vulnerability risk "Moderately critical" and recommends that Internet Explorer users set their security level to "High."

Only IE 6 is affected by the problem. In his report, Klein said Mozilla fixed a similar security flaw in Firefox with the release of version 1.0.7.