Results 1 to 6 of 6

Thread: Another Internet Explorer flaw found

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Another Internet Explorer flaw found

    A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.
    Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.

    "They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."

    This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.

    Microsoft acknowledged the latest issue and said more fixes would be forthcoming.

    "The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports."

    The most recent flaw is not new--security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.

    "Most exploits we are seeing developed today are composed of multiple vulnerabilities, (each one) bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."

    Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.

    Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.

    Microsoft recommends that users go to the company's Protect Your PC site for the latest information.
    Source : http://zdnet.com.com/2100-1105_2-5259374.html
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    Get OpenSolaris http://www.opensolaris.org/

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by spurious_inode
    www.openbsd.org
    And how's this supposed to protect us from this flaw?
    Do you really think big enterprises will drop windows and run OpenBSD?
    Heck, you don't even get them to replace IE with something else (believe me I've tried).

    [edit]Oh, and don't worry I'm a very happy *BSD user[/edit]
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    Originally posted here by SirDice
    And how's this supposed to protect us from this flaw?
    Do you really think big enterprises will drop windows and run OpenBSD?
    Heck, you don't even get them to replace IE with something else (believe me I've tried).

    [edit]Oh, and don't worry I'm a very happy *BSD user[/edit]
    I didn't say anything about suits and Lusers getting a clue. I was just taking this opportunity
    to plug for OpenBSD.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  5. #5
    Junior Member
    Join Date
    Nov 2002
    Posts
    1

    New Shell.Application IE problem

    A new IE flaw (which many have noted) has been created into a proof of concept with code provided.

    Here is the link to it: http://www.k-otik.com/exploits/07072...ationShell.php

    Users can update their computers with this registry patch (in lieu of a microsoft patch):
    http://www.k-otik.com/news/03072004IEfix.reg

    Ciau...

    digitalpimp

  6. #6
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    I don't use IE myself, but I constantly caution anyone- especially the security clueless- from believing the anti-Microsoft mantra that everything non-Microsoft is automatically secure. Some may be more inherently secure than others, but they all have learning curves and they all have vulnerabilities and the products are only as secure as the users keep them.

    To illustrate the point, while the Microsoft bashers, and even Microsoft itself it seems, are telling everyone to jump ship because there are just too many holes in IE and the flaws exist at a fundamental design level that can't be easily patched, the competing browsers have the same or similar issues.

    First there was the discovery that almost all browsers suffered from a 6 year old vulnerability that would allow an attacker to spoof a web site. Now, after Jelmer's revelation that the Microsoft "fix" was too narrow in scope and that other problems of equal magnitude still exist in IE, Secunia has released an advisory (SA12027 ) stating that almost all versions of Mozilla are vulnerable to the same exploit.

    It seems to me that maybe the flaws in IE that everyone is ranting about and bashing Microsoft for exist at a more fundamental level of the browser code that exists outside of Microsoft and is used as the basis for web browsing in general. It just happens that IE has 90% or more market share for web browsers and they're an easy target when it comes to software flaws and security issues.

    My point isn't so much to defend Microsoft as it is to illustrate that the competition has many of the same issues and to caution people from assuming they are secure just because they jump ship and use Mozilla or Opera or some other browser.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •