It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

SCI/TECH: 'Extremely Critical' Flaws in MS Internet Explorer

page: 1
0
<<   2 >>

log in

join
share:

posted on Jun, 9 2004 @ 04:10 AM
link   
Updated 7/2/2004 - Two major flaws in Microsoft's Internet Explorer web browser have been discovered. These vulnerabilities are rated as "extremely critical" and no patches are currently available to fix them. The security holes are already being used by unscrupulous operators to install Adware on the computers of unsuspecting Internet users. More dangerous applications are sure to follow.
 


Internet Explorer carved up by zero-day hole
Two new vulnerabilities have been discovered in Internet Explorer which allow a complete bypass of security and provide system access to a computer, including the installation of files on someone's hard disk without their knowledge, through a single click.

Please visit the link provided for the complete story.

"Zero Day" exploits are those that appear with no warning time between the recognition of a security flaw and the ability of someone to exploit it. There are additional links to support this story and describe technical details of the method used to infect systems remotely, but I choose to omit them because these sites also explain exactly how to code the exploit.

This very sophisticated attack is triggered by a specially crafted hyperlink and has been used to install the iLookup Toolbar.

Until Microsoft releases a hotfix for this problem (which may come along with Windows XP Service Pack 2, due out in late July or August) the only way to safeguard against this malicious script is to disable active scripting in Internet Explorer. A more prudent suggestion would be, in my opinion, to use another web browser. While exploits for Mozilla and Opera exist, they are not as common.

This announcement comes on the heels of . Microsoft Security Bulletin Summary for June, 2004. This bulletin covers two relatively minor updates for "DirectPlay" and "Crystal Reports Web Viewer."

Related News Links
Secunia - Cross Zone scripting

Updated, 7/2/2004:

Microsoft releases an interim configuration change to offset the threat of security exploits affecting Internet Explorer ahead of its scheduled July round of updates.

What You Should Know About Download.Ject
On Friday, July 2, 2004, Microsoft is releasing a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address recent malicious attacks against Internet Explorer, also know as Download.Ject.

Windows customers are encouraged to apply this configuration change immediately to help be protected from current Internet Explorer exploits.

The update is currently available on the Download Center and will be made available later today on Windows Update.

Customers who have enabled automatic updates will receive the configuration change automatically. We recommend that customers immediately install this configuration change as soon as it is downloaded by automatic updates or by visiting the Windows Update site later today.

Please visit the link provided for the complete story.


A step in the right direction, but not enough
The SANS Internet Storm Center has confirmed reports that the new configuration change does not prevent maliciously designed web pages from running programs on a user's computer. For the full details please see their write-up:

ISC Handler's Diary
This patch will turn off the ADODB.Stream ActiveX Control, which has been used in conjunction with last weeks russian web site defacements to install malware on unsuspecting user's PCs. Given the urgency demonstrated by last weeks exploits, Microsoft release this patch ahead of its next "Patch Day" (July 13th). However, as demonstrated by the proof of concept code below, even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction.

Please visit the link provided for the complete story.

[edit on 6-9-2004 by Valhall]
[edit on 2-7-2004 by Spectre]

[edit on 2-7-2004 by Spectre]




posted on Jun, 9 2004 @ 05:46 AM
link   
Nothing new here, move on



posted on Jun, 9 2004 @ 06:05 AM
link   
This is exactly why I stopped using MS IE.

I switched to Mozilla FireFox I haven't looked back.



posted on Jun, 9 2004 @ 06:26 AM
link   
I've switched to Mozilla Firefox a long time ago aswell, IE is such crap anyway. I prefer Firefox to the point of instaling a copy on my USB flash drive for use on public and university computers to avoid IE alltogether.



posted on Jun, 9 2004 @ 06:36 AM
link   
This is funny I am just reading this post when the windows update just shows on my toolbar, I guess let do the download.



posted on Jun, 9 2004 @ 08:33 AM
link   
Spectre, not trying to hijack your thread; but I'd be interested in anyone's thoughts on Firefox. I tried it awhile ago but was too busy to properly evaluate it. Any issues with any sites?



posted on Jun, 9 2004 @ 08:40 AM
link   
Quite a few people on ATS seem happy with Firefox, and I am one of them. Once in a while I will find that Firefox does something funny with the formatting of a page, but it is rare. I can't use it to access the web-interface of my broadband router, just odd little things that I can live with. The ability to integrate the ATS search into my browser is golden.



posted on Jun, 9 2004 @ 09:15 AM
link   
Has anyone used MYIE2? I just like the ability to tab all the sites on one open browser. MYIE2



posted on Jun, 9 2004 @ 09:53 AM
link   

Originally posted by titian
Spectre, not trying to hijack your thread; but I'd be interested in anyone's thoughts on Firefox. I tried it awhile ago but was too busy to properly evaluate it. Any issues with any sites?


I've been using it for quite awhile now.
Aside from fewer security holes than IE, I also enjoy the automatic popup blocking & tabbed browsing. Oh, the tabbed browsing. I don't know how I managed ATS without it!!
Also.....I have next to no spyware anymore. With IE, I had to run AdAware & Spybot weekly and it cleaned up bunches of nastiness. Not anymore. I run both progs about every other week, and it usually finds *nothing*.
There are a few sites I have to use IE for, but they're far between.

Firefox is definately a good way to go, especially with reports like this coming out.



posted on Jun, 9 2004 @ 12:34 PM
link   
Just a shame some of the java capabilites dont work with other browser.

I think your'll all be plensently suprised with XP SP2, ive been running the beta version since its release. no chance im going back to the land of popups and installers.

SP2 is the best thing MS have ever made, thats a statement. lol

Andy



posted on Jun, 9 2004 @ 02:58 PM
link   
With all non-beta updates, a friend of mine loaded up IE and browsed for no more than 20 mins. I looked over and saw the "DO NOT USE THIS BROWSER" titlebar (yeah, i made it say that and he didnt even notice). I found three new running .exe files that were located on my hard drive. This may be the same exploit that did that - but that was like a month ago. That is the absolute most insecure situation. It's not that the browser crashed, and code was executed upon termination, which one would be alerted that something just happened. It was so silent, and so seamless that microsoft should be proud. I have seen intentionally inter-operating software that doesnt work this seamlessly, without user intervention or knowledge. That's quite the coding. I only use firefox now, and if a site doesnt render properly - they get an email saying "get a real web developer that follows industry standards, and not MS-centric obscurities (though they're not obscure because everyone uses IE)". I simply will not use that site, and i will look elsewhere for the information. SP2 is more secure, but the fact that MS has taken upto 8 months for critical flaws being used in the wild to be publically admitted to is enough for me to say "not on my pc, thanks." I am trying to migrate my pcs over to other OS's but sadly, theres too much that wont run properly that i have already purchased to give up windows itself
And obviously if you state something, it is a "statement".



posted on Jun, 9 2004 @ 03:41 PM
link   
The first hints I heard of this particular problem started back in mid-May, but it has taken this long for someone to document the flaw and outline the exploit. Since it has been in use for quite a long time explains. to a degree, the rash of spyware installs that I have come across.

That MS is not going to allow Service Pack 2 to install on the thousands+ illegal copies of XP connected to the internet paints a grim picture for the future. Those will make thousands of potential "zombie" PCs just waiting to be infected and unleashed.



posted on Jun, 9 2004 @ 03:54 PM
link   
When was this discovered?



posted on Jun, 9 2004 @ 03:59 PM
link   

Originally posted by AD5673
When was this discovered?

Security Focus has the earliest article that seems to point at an undocumented flaw that could hit a fully patched Windows machine. It was published May 14th.


d1k

posted on Jun, 9 2004 @ 04:01 PM
link   
I have heard many a great things about MYIE.



posted on Jun, 9 2004 @ 04:43 PM
link   


but the fact that MS has taken upto 8 months for critical flaws being used in the wild to be publically admitted to is enough for me to say


The problems oftern begin when you publisise the fact you have flaws, and when you release security updates.

The moment you say you have a problem, you automatically assist the sad little coders out there that just like to be destructive. Since most of the computer users out there are "like my dad" the later these destructive individuals find out about these flaws the better. It atleast gives MS the chance to do somthing about it.

I do feel strongly about MS security problems and rarely stand up for them but somtimes its nessecary. SP2 will solve alot of the issues, with inbuilt firewall which blocks all connections except those autherised and the blocking features. MS said they were now makign security top priority and indeed they are. Shame they missed the boat with XP SP1.

There are still many other problems to watch out for with some of these new HTML installers and multi trojens out there, which no browser will protect you against and with Symantic admitting lately that even Norton has a couple of major flaws allowing it to be disabled, security lands at everyones doors.

O and quick warning, new virus out that actually is a good old fassion virus, deletes all files ion your hard drive on 6th 13th 21st or 28th of the month. Beware: VBS.Pub can be descised asp, .hta, .htm, .htt, .html, .vbe or .vbs extensions.

Nice article here: patch-o-mania
www.astalavista.com...


Andy


[edit on 9-6-2004 by Andy Robins]



posted on Jun, 9 2004 @ 04:47 PM
link   

Originally posted by SupaFly
Has anyone used MYIE2? I just like the ability to tab all the sites on one open browser. MYIE2



I started using it today and love it so far. Lot's of features that IE should've had a long time ago. So far I'm very happy



posted on Jun, 9 2004 @ 06:16 PM
link   
Microsoft Comments on New Flaw

Stephen Toulouse, security program manager for Microsoft, has added his comments on the situation in an interview with ZDnet

"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."


They are not taking this lightly, and are considering creating a patch as soon as possible, rather than waiting for its regular monthly update. They are also working with the FBI to build a case against organizations installing software using the exploit.



posted on Jun, 9 2004 @ 06:32 PM
link   
where would one get this Mozilla Firefox browser?



posted on Jun, 9 2004 @ 06:35 PM
link   
Just put Mozilla Firefox in google itll take you straight there.
Just downloaded it, thankyou for the headsup.



new topics

top topics



 
0
<<   2 >>

log in

join