Results 1 to 2 of 2

Thread: Internet Explorer 6 Hacks And Holes Exposed

  1. March 23rd, 2003, 09:47 PM #1
    black_death
    black_death is offline
    Member
    Join Date
    Sep 2002
    Posts
    98

    Internet Explorer 6 Hacks And Holes Exposed

    Internet Explorer 6 Hacks And Holes Exposed

    [Feb. 28, 2002]


    In today's world you're not even safe when you’re crossing the street at 2PM on a weekday. You can't look at someone the wrong way, you can't accidentally stumble into someone, and in some countries you can't even speak your mind: if you do, the consequences are deadly. It's no different on the Internet.
    For the average home user running Windows 9x, ME, 2000, or XP, it's nearly impossible to keep up with the constant bug fixes for all of your applications. Obviously, the safest way to run your computer would be to never connect to the Internet at all, but what kind of a boring life would that be?

    Over the last couple of days I've spent many an hour scouring the 'net for patches, bug fixes, and updates for my Windows 2000 web server running IIS 5, because that's where I'd be most vulnerable, right? Well apparently not. I was reading a new post the other day that linked to this site (see bottom). What I found on that site shocked me.

    Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door and forgot to take that extra bit of time to debug and test it for security cracks and holes... naughty naughty.

    If you're wondering how the heck a browser can be hacked, then please allow me to explain. Firstly, Microsoft's implementation of client side JScript (Microsofts version of JavaScript) exposes some simple security flaws that allow us to use common JScript functions such as document.open and document.write to spoof another site, steal cookies, and more worryingly physically read existing files on a users machine... all through one or two lines of code.

    more
    probably most of the teqz used in this article have been fixed but it is worth reading anyway!
    Reply With Quote Reply With Quote
  2. March 25th, 2003, 03:36 PM #2
    tonybradley
    tonybradley is offline
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Thumbs up

    Very good article. I liked that you provided code and examples to explain in depth how these flaws could be exploited.

    Obviously, Microsoft has released a number of updates and patches for IE6 in the past year since that article was written.

    I have written two recent articles that relate to this subject. Ironically, one of them relates specifically to a buffer overrun in the way Windows handles JScript.

    There are generally quite a few vulnerabilities that are unknown to the public, but are very known to the hackers and the vendors. This is a problem throughout the industry, not just with Microsoft, but many times Microsoft is aware of a flaw long before they go public with it or create a patch for it. Check out this site for a running list of the known IE flaws:

    Unpatched IE Vulnerabilities
    Tony Bradley, CISSP, Microsoft MVP
    Follow me on Twitter
    Blogs:
    The Edge
    Evangelyze Communications Security
    Unified Communications: Click to Talk
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules