BleepingComputer.com > Internet Explorer - 2 new critical vulnerabilities

Full Version: Internet Explorer - 2 new critical vulnerabilities

BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods

harrywaldron

Jun 9 2004, 04:09 PM

This new bulletin advises to "Disable Active Scripting support for all but trusted web sites"

SA11793: Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities

http://secunia.com/advisories/11793/

QUOTE

Secunia Advisory: SA11793
Release Date: 2004-06-08

Critical: Extremely critical

Impact: Security Bypass and System access

Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system.

1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files.

2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone.

Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access.

Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document. The vulnerabilities are actively being exploited in the wild to install adware on users' systems

Solution: Disable Active Scripting support for all but trusted web sites.

harrywaldron

Jun 10 2004, 10:55 AM

IE flaws used to spread pop-up toolbar

http://news.com.com/IE+flaws+used+to+sprea..._3-5229707.html

An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week. On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."

SA11793: IE Local Resource Access and Cross-Zone Scripting Vulnerabilities
http://secunia.com/advisories/11793/

Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws.

Here are some additional Protective Recommendations from Microsoft:

http://www.microsoft.com/security/incident/settings.mspx

harrywaldron

Jun 16 2004, 10:23 AM

Another new IE trojan capitalizing on IE vulnerabilities

http://secunia.com/virus_information/10089/ject/

Download.Ject is a Trojan that attempts to download and install a file on a compromised system by exploiting a vulnerability in Internet Explorer. The Trojan is triggered by visiting a web site that contains the exploit code.

I hate spyware!

Jun 26 2004, 11:39 AM

QUOTE(harrywaldron @ Jun 16 2004, 11:23 AM)

Yeah, its very bad news, i saw i simlar story on BBC NEWS, and it said to find out if you have 'surf.dat' is go in to search and then type it in, but i haven't been infected

jgweed

Jun 28 2004, 01:10 AM

Time to Dump Internet Explorer
It's time to tell our users, our clients, our associates, our families, and our friends to abandon Internet Explorer.
By Scott Granneman Jun 17 2004 07:54AM PT

http://www.securityfocus.com/columnists/249

The writer argues that the continual security problems with the ubiquitous IE makes a strong case for switching browsers, and recommends Mozillla's Firefox:

" As people who care about security - and who so often work with people who care nothing about security - it's our responsibility to spread the word about a better Web browser that does not constantly compromise the basic security of our computers and networks."

Regards,
John

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.