Unpatched Internet Explorer flaws reach “extremely critical” stage

Secunia said today it has raised its rating of three unpatched flaws in Microsoft’s Internet Explorer 6 to "extremely critical," its highest rating.

According to CNET, the flaws could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer.

Exploit code for one of the vulnerabilities, a flaw in an HTML Help control, was published on the internet on December 21 in an advisory by GreyHats Security Group.

"In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems."

The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. It also suggests using another browser product.

The company first issued an alert about the three security holes in October. "Microsoft knew of this back in October," Kristensen said. "In my opinion, it's not fair to have a vulnerability known for two months without having an available patch, especially when every little detail (of the vulnerability) is out there."