-
January 10th, 2005, 09:39 PM
#1
This was rejected on Slashdot...
... so might as well post it here.
According to an article by Secunia , there are three bugs in IE even after SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.
Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.
3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones.
Secunia has an online test to see if you are vulnerable. As of the article, there is no official patch available, and interestingly enough, advise users to switch browsers.
-
January 10th, 2005, 09:43 PM
#2
No doubt it was rejected. They are pretty much done with announcements, unless it is "Bill Gates crowned King of the Universe, Mass Riots Ensue." :P
No offense to /. but I burned out on their tripe years ago. The discussions just don't do it for me there.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 10th, 2005, 09:45 PM
#3
No doubt it was rejected. They are pretty much done with announcements, unless it is "Bill Gates crowned King of the Universe, Mass Riots Ensue." :P
No offense to /. but I burned out on their tripe years ago. The discussions just don't do it for me there.
I am noticing that very quickly, but I thought it would be important for people to know, but then again, anybody can use Google news. From now on, I'll just keep the articles to myself or post it on ALS. hehe
-
January 10th, 2005, 11:40 PM
#4
LMAO! And right here on the AO main page....at the top of EIT Planet's Security News:
IE6 Vulnerability Goes Critical
Some days it just isn't even worth gnawing through the leather straps, ya know?
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 10th, 2005, 11:46 PM
#5
The problem is also avoided by disabling the "Drag and drop or copy and paste files" option in Internet Explorer (Tools > Internet Options > Security > Custom Level) or to alternately set the Internet zone security level to "high".
*Cough* My Group Policy has enforced that for almost a year... OK, it's Custom, rather than high, but it mitigates the issue.....
This stuff isn't rocket science you know.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 11th, 2005, 12:00 AM
#6
Originally posted here by Tiger Shark
This stuff isn't rocket science you know...
Unfortunately, for some people it *is*...or may as well be.
<phb>
What do you mean we are vulnerable?
Don't we pay for a firewall, intrusion detection monitoring, and anti-virus software?
How can we still be vulnerable?
Can't you do your job?
</phb>
Sorry, had to get it out. Thank god for the fox. Get firefox!
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 11th, 2005, 12:01 AM
#7
*Cough* My Group Policy has enforced that for almost a year... OK, it's Custom, rather than high, but it mitigates the issue.....
This stuff isn't rocket science you know.....
Not everybody is a rocket scientist, and MS is slow for patches to resolve the issue. No big deal. Like I said, it's best to keep this stuff to myself.
-
January 11th, 2005, 12:14 AM
#8
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
January 11th, 2005, 12:28 AM
#9
Donkey: That wasn't aimed at you personally..... Don't take it that way.....
You say M$ is "slow".... Hmmm... I bet you were one of those that complained that M$ provided a patch every three days too.... They can't win..... No problem.... I'm an M$ guy.... I seem to know my OS well enough to use what is _already_ built into it to mitigate the threats prior to having to download a patch....
Don't keep this stuff to yourself..... It's exactly people like you pushing this stuff "up front" that allows me to see the threat and mitigate against it....
Wanna make a deal? You keep putting up the M$ threat and I'll tell you how to mitigate or detect.... Fair?
Zencoder:
Sorry, had to get it out. Thank god for the fox. Get firefox!
I use firefox myself, (using it now), but it has some limitations that either my users can't live with or that "cost" me too much in help desk. As the admin I _should_ understand my system sufficiently to be able to mitigate the threat... OK, ok, I know that's "unusual".... maybe I'm a freak... But this stuff is all doable..... It just takes the time to study the exploit and study the network to come up with a mitigation..... OK, sometimes that means closing a service or limiting it.... But the mitigation is _always_ there.... The challenge is finding it....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 11th, 2005, 04:33 PM
#10
Wanna make a deal? You keep putting up the M$ threat and I'll tell you how to mitigate or detect.... Fair?
Do what you want.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|