Browser Security News

Although Microsoft Corp. fixed four flaws in Internet Explorer (IE) yesterday, it did not address a protocol-handling problem that could trick users into downloading malware, a move that surprised at least one security researcher. The company, however, said it has reopened its investigation and may provide a patch in the future.

"I was prepared to talk about a patch yesterday," said Andrew Storms, director of security operations at nCircle Network Security Inc. "I expected to see Microsoft retract its prior stance and fix this." Storms was referring to the position that Microsoft first staked out in July — that Windows and IE are not to blame for the protocol-handling vulnerabilities cited by multiple researchers. This week, the blame game returned when Juergen Schmidt, a researcher at Heiese Security, said IE7 passed invalid Uniform Resource Identifiers (URI) to Windows XP, a bug that attackers could exploit to launch malicious code or scripts if users simply clicked on a link. Microsoft changes tune, may patch IE7 bug