Microsoft Corp. is investigating a new set of potentially serious security flaws in Internet Explorer and Outlook reported by security company eEye Digital Security, the software maker said today.
The two flaws in the Web browser and e-mail client could let an attacker take control over a system with minimal action from the user, eEye said in two security alerts posted on its page of upcoming advisories. The company ranks the flaws as "high" risk.
One of the vulnerabilities could let an attacker compromise a user's machine after the user clicks on a Web link, said Marc Maiffret, co-founder and chief hacking officer at eEye. "Nothing that would be normally suspicious to the user," he said.
The flaws affect both Outlook and Outlook Express, Maiffret said.
The vulnerabilities exist in the default installations of the applications on most current versions of Windows, according to Aliso Viejo, Calif.-based eEye. The company said on its Web site that it has informed Microsoft and won't provide further details until Microsoft has provided a patch or security alert.
"We keep all the details private until Microsoft produces a patch. But that is not to say that nobody else has discovered the vulnerability and produced an exploit," Maiffret said. However, eEye hasn't yet seen any attacks that take advantage of the flaws, he said.
Microsoft is investigating the privately reported potential vulnerabilities, a spokeswoman for the software maker said. The company isn't aware of any attempts to exploit the vulnerabilities, she said.
Upon the completion of the investigation, Microsoft will take the appropriate action to protect users. That could be a fix as part of the company's monthly patching cycle, a fix in the next service pack or a special update, the spokeswoman said.
EEye reported the flaws to Microsoft on March 16 and March 29, according to the eEye Web site.
Maiffret said he hopes Microsoft will produce a patch within two months, the industry-standard time for delivering a fix.
Source