Posted on 01/11/2005 3:19:05 AM PST by Happy2BMe
E Flaw Exploited
Security firm identifies exploit technique for known browser hole.
Matthew Broersma, Techworld.com Friday, January 07, 2005
Internet Explorer has become an even bigger security risk--even under Windows XP SP2--with the publication of a new and extensive exploit.
Advertisement
Security researchers have warned that the exploit, which takes advantage of known loopholes in SP2, could allow an attacker to run script code on a user's system via a specially crafted Web page.
Known Hole
The holes involved have been known publicly for more than two months, but previous exploit techniques required the user to take actions such as dragging an image from one part of a Web page to another. The new exploit--a demonstration of which has been published by Danish security firm Secunia--is fully automated, requiring the user only to visit a Web page in Explorer. Other browsers and operating systems aren't affected.
"There now is a 'reliable' working exploit that can compromise an SP2 system by just visiting a Web page," says Secunia chief technology officer Thomas Kristensen. Secunia has raised its warning level to its highest, "extremely critical."
Security group Greyhats warned of the new type of exploit in an advisory in late December. Secunia then upgraded its advisory to "extremely critical" and published a demonstration based on a proof-of-concept by a researcher known as ShredderSub7. US-CERT, the U.S. computer security alert organization, has also published an advisory on the issue.
Issues Identified
Microsoft has warned users to turn off IE's 'Drag and drop or copy and paste files' option as a partial solution. The danger can also be lessened by setting security levels to high for the 'Internet' zone or, as several security firms pointed out, using another browser.
The exploit is the first major weakness in SP2 to have surfaced. Microsoft is promoting SP2, released last summer, as a solution to many of Windows' worst security problems.
Researchers have identified three separate but related issues in IE: a bug in the validation of certain drag-and-drop events, and zone restriction errors with embedded HTML Help ActiveX controls. The first problem can be avoided by disabling the 'Drag and drop or copy and paste files' option, but the new exploit doesn't rely on this particular bug, researchers said.
The HTML Help control exploit bypasses one of SP2's key features, the 'Local Machine' zone lock down, designed to make it far more difficult for attackers to execute script on a local system.
ping
aHHHHHHHHHHHHH. . . .
BUT NOT BITCHING about Microslop
would take away the only semblence of recourse left.
Besides . . . what a release--what pseudo-fun.
Oh, I know . . . sigh . . .
"In ALL things give thanks for this is the will of God in Christ Jesus concerning you."
Still working on that one.
THX.
I don't run XP so won't ever have a chance to test it and comment on it, but I wonder about any false positives (something all can have).
That's right, Meek. You can put a web address into the address bar of Windows explorer and access the web. They can also access you through that same door.
I can't remember what site it is, something similar to GRC, where you can do security tests, and one javascript will pop open all your CD drawers. That's how tied IE is to the OS.
Check this out. Some sewer-ware outfit was using browser hijackers, popups, and opening CD drawers to scare the gullible into buying their "Spywiper"!
http://tired-of-spam.home.comcast.net/spywiper.html
If a program has "spy" or "spyware" or "ad" in the name, you can't be sure it's a safe program anymore. Be wary of ANY new spyware remover. Always ask around and/or check computer forums for the tried and true. Don't try anything just because it comes up in a search.
And we're 30 days away from "Patch Tuesday". Why anyone uses IE at all is beyond me.
Thanks. :^)The guys that do this stuff are Internet Terrorists.
And a few fingers....ahem....hacked off.
I have a main & a fallback PC at home, both running Win2000pro, one DSL and one dialup, and MSantispyware found one file one each, with different names. None of the other stuff I use, including a few onlines scans, said "boo!" Of course, false positives do happen.
I thought the fix was supposed to be out today. Apparently not. I went to the update site (I am running IE 6 and Win XP but use Netscape) and no updates were listed for my computer.
What if they can't fix it? What then?
SP3 will surely do the trick.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.