Updated 7/2/2004 - Two major flaws in Microsoft's Internet Explorer web browser have been discovered. These vulnerabilities are rated as "extremely
critical" and no patches are currently available to fix them. The security holes are already being used by unscrupulous operators to install Adware
on the computers of unsuspecting Internet users. More dangerous applications are sure to follow.
Internet Explorer carved up by zero-day hole
Two new vulnerabilities have been discovered in Internet Explorer which allow a complete bypass of security and provide system access to a computer,
including the installation of files on someone's hard disk without their knowledge, through a single click.
Please visit the link provided for the complete story.
"Zero Day" exploits are those that appear with no warning time between the recognition of a security flaw and the ability of someone to exploit it.
There are additional links to support this story and describe technical details of the method used to infect systems remotely, but I choose to omit
them because these sites also explain exactly how to code the exploit.
This very sophisticated attack is triggered by a specially crafted hyperlink and has been used to install the
iLookup Toolbar.
Until Microsoft releases a hotfix for this problem (which may come along with Windows XP Service Pack 2, due out in late July or August) the only way
to safeguard against this malicious script is to
disable active scripting in
Internet Explorer. A more prudent suggestion would be, in my opinion, to use another web browser. While exploits for Mozilla and Opera exist,
they are not as common.
This announcement comes on the heels of .
Microsoft Security Bulletin Summary for June, 2004.
This bulletin covers two relatively minor updates for "DirectPlay" and "Crystal Reports Web Viewer."
Related News Links
Secunia - Cross Zone scripting
Updated, 7/2/2004:
Microsoft releases an interim configuration change to offset the threat of security exploits affecting Internet Explorer ahead of its scheduled July
round of updates.
What You Should Know About Download.Ject
On Friday, July 2, 2004, Microsoft is releasing a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address recent
malicious attacks against Internet Explorer, also know as Download.Ject.
Windows customers are encouraged to apply this configuration change immediately to help be protected from current Internet Explorer exploits.
The update is currently available on the Download Center and will be made available later today on Windows Update.
Customers who have enabled automatic updates will receive the configuration change automatically. We recommend that customers immediately install this
configuration change as soon as it is downloaded by automatic updates or by visiting the Windows Update site later today.
Please visit the link provided for the complete story.
A step in the right direction, but not enough
The SANS Internet Storm Center has confirmed reports that the new configuration change
does not prevent maliciously designed web pages from
running programs on a user's computer. For the full details please see their write-up:
ISC Handler's Diary
This patch will turn off the ADODB.Stream ActiveX Control, which has been used in conjunction with last weeks russian web site defacements to install
malware on unsuspecting user's PCs. Given the urgency demonstrated by last weeks exploits, Microsoft release this patch ahead of its next "Patch
Day" (July 13th). However, as demonstrated by the proof of concept code below, even after 'ADODB.Stream' is disabled, it is still possible to
launch programs on the users system without user interaction.
Please visit the link provided for the complete story.
[edit on 6-9-2004 by Valhall]
[edit on 2-7-2004 by Spectre]
[edit on 2-7-2004 by Spectre]