Expert finds vulnerabilities in Microsoft browser

BOSTON (Reuters) - A security research firm said it discovered another set of vulnerabilities in Internet Explorer, a day after Microsoft Corp patched the Web browser following a high-profile cyber attack on Google in China.

The software maker issued a patch on Thursday to fight malicious software that was used in the attack on Google Inc and dozens of other companies which operate in China.

Research firm Core Security Technologies said on Friday that it discovered another set of vulnerabilities in Internet Explorer that hackers can link together and exploit, to remotely access all of the data on a personal computer.

“There are three or four ways to conduct this type of attack,” said Jorge Luis Alvarez Medina, a security consultant with Boston-based Core, who will demonstrate the vulnerability at the Black Hat security conference in Washington, which begins February 2.

A spokeswoman for Microsoft said she could not immediately comment on the matter.

Alvarez Medina said hackers can exploit a string of four or five minor vulnerabilities in Internet Explorer, which is used on hundreds of millions of PCs around the world.

Although none of the vulnerabilities are serious enough to compromise a machine, a hacker could take control of a PC by exploiting all of them at once, he said.

The combination would overwhelm the browser, giving a hacker access to all data on the PC after a user clicks on a malicious link, he said.

Alvarez Medina added that he was uncertain whether any hackers had already exploited the weaknesses, which Microsoft has yet to patch.

He said that Core was working with Microsoft to find a way to mitigate the risk, but added that he believed other vulnerabilities would crop up even after a solution to these.

“It is likely that people will come up with new ones over time,” he said.

Reporting by Jim Finkle, editing by Leslie Gevirtz