Results 1 to 6 of 6

Thread: Security firm warns of new IE flaw

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Security firm warns of new IE flaw


    A security services company warned of a new vulnerability in Microsoft's Internet Explorer Web browser that could allow Web surfers to be tricked into downloading malicious files.

    Danish company Secunia posted details of the alleged flaw, which could be used in combination with an earlier "spoofing" flaw reported by the company.

    A Microsoft representative said the company was investigating the report but was not aware of any exploits involving the supposed flaw. The representative also echoed previous criticisms of security researchers publicizing software flaws before software makers can adequately investigate and remedy the problems. "Microsoft continues to encourage the responsible disclosure of vulnerabilities," the representative said.

    The new flaw could allow the owner of a malicious Web site to deliberately misidentify a downloadable file, so a malicious program file could be made to appear as if it were a secure file. Visitors might think they were downloading a document based on Adobe's portable document format (PDF), for instance, but actually receive a malicious, self-executing program such as the new MyDoom worm.

    Secunia's advisory includes an online test showing how the flaw could be exploited. The company said it identified the hole in the current version 6 of Internet Explorer, but previous releases also could be affected. Secunia representatives did not immediately respond to a request for comment.

    The alleged flaw could be particularly effective if used in combination with another IE hole identified by Secunia last month. That flaw lets Web site owners disguise the identity of their site by displaying a false address in the Internet Explorer address and status bars.

    Microsoft has yet to release a patch for that vulnerability, although it has posted a bulletin with tips for avoiding such "spoofed" sites. Among the tips are not clicking hyperlinks. "Rather, type the URL of your intended destination in the address bar yourself," Microsoft advises.

    Microsoft's delay in addressing that flaw has drawn criticism from security experts and led an open-source programming group to create its own patch for the flaw.

    Microsoft last year instituted a new policy for patching security holes, deciding to cluster fixes in a single monthly release rather than distributing piecemeal updates.
    Source : http://zdnet.com.com/2100-1105_2-5149583.html
    Secunia Advisories : http://www.secunia.com/advisories/10736/
    -Simon \"SDK\"

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I have to support MS on this one....it is just like the Army?

    If you have a **** on drugs he walks point until he walks into something unplesant?

    An officer carries a pistol for one reason.....to shoot cowards and others who endanger his command?

    Secunia are now on my "NEVER DEAL WITH" list......they are totally ignorant ......you do not advertise how f888ing stupid you are, do you? THEY JUST HAVE

    Please have a look at the CERT security site.............they give 30 days before releasing an alert.

    I am really pissed off by these "look how clever we are" toss pots...to me they are trash who have only just discovered that number characters play no part in the English language

    If that vulnerability, if it is one, hits anyone in Europe before MS offer an update then they will be sued out of existence.....and deserve it!!!

    I wish them in hell, along with the scum that they are inadvertently encouraging.

    There are no prisoners in this war?

    Cheers

  3. #3
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Well there is two sides to it. If the vul. is made to the underground than us security professionals don't know what we are up against, if it is made public than you have a bunch of kiddies trying to play with it. It is a lose/lose situation, but I stand firm I should know what I am up against so I have one ear to the underground.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    nihil just be glad YOU know. now you can help to protect those around you. if they didn't publish it that dosn't mean nobody knows. ive been watching them for a while. they dont have that much going for them, in fact half of their 'findings' are fairly dumb and the rest i believe their get from third parties. but the point is i watch them. thats what a good security person is supposed to do. maybe ms should hire some good security people or at least not pretend that they dont have them with statement like...duh! first i hears about it.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I'm torn on this one...I mean, I don't think that a vulnerabilty sould be blown in the open before a patch is available. By the same token, I don't believe in "security by obscurity" either.

    I guess what is needed is a happy medium....If the flaw is that big of a risk, they shouldnt just broadcast it like that but rather post something like this:

    IE 6 vulnerability alert

    New vulnerability blah blah bla blah...

    Could allow blah blah blah

    Microsoft has been notified of the vulnerability and has issued the following security guidance:

    1.) Don't do this
    2.) Don't do that
    3.) Do this, this, and this

    This flaw will be addressed in update %XXX%, scheduled for release on %Date%

  6. #6
    Junior Member
    Join Date
    Sep 2003
    Posts
    13
    I think part of the problem is that Secunia already released info on a similar vulnerability over a month ago and MS has yet to act on that one - so why should they believe that MS will act with any accountability on this new one? I mean we are talking about MS here. Their advice on the first flaw was, "don't use hyperlinks"! Not that releasing flaws willy-nilly is right, but when MS refuses to act those of us on the bleeding edge of security need to know.

    Todd

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •