SCI/TECH: 'Extremely Critical' Flaws in MS Internet Explorer

Updated 7/2/2004 - Two major flaws in Microsoft's Internet Explorer web browser have been discovered. These vulnerabilities are rated as "extremely critical" and no patches are currently available to fix them. The security holes are already being used by unscrupulous operators to install Adware on the computers of unsuspecting Internet users. More dangerous applications are sure to follow.


"Zero Day" exploits are those that appear with no warning time between the recognition of a security flaw and the ability of someone to exploit it. There are additional links to support this story and describe technical details of the method used to infect systems remotely, but I choose to omit them because these sites also explain exactly how to code the exploit.

This very sophisticated attack is triggered by a specially crafted hyperlink and has been used to install the iLookup Toolbar.

Until Microsoft releases a hotfix for this problem (which may come along with Windows XP Service Pack 2, due out in late July or August) the only way to safeguard against this malicious script is to disable active scripting in Internet Explorer. A more prudent suggestion would be, in my opinion, to use another web browser. While exploits for Mozilla and Opera exist, they are not as common.

This announcement comes on the heels of . Microsoft Security Bulletin Summary for June, 2004. This bulletin covers two relatively minor updates for "DirectPlay" and "Crystal Reports Web Viewer."

Related News Links
Secunia - Cross Zone scripting

Updated, 7/2/2004:

Microsoft releases an interim configuration change to offset the threat of security exploits affecting Internet Explorer ahead of its scheduled July round of updates.


A step in the right direction, but not enough
The SANS Internet Storm Center has confirmed reports that the new configuration change does not prevent maliciously designed web pages from running programs on a user's computer. For the full details please see their write-up:

[edit on 6-9-2004 by Valhall]
[edit on 2-7-2004 by Spectre]

[edit on 2-7-2004 by Spectre]

Nothing new here, move on

This is exactly why I stopped using MS IE.

I switched to Mozilla FireFox I haven't looked back.

I've switched to Mozilla Firefox a long time ago aswell, IE is such crap anyway. I prefer Firefox to the point of instaling a copy on my USB flash drive for use on public and university computers to avoid IE alltogether.

This is funny I am just reading this post when the windows update just shows on my toolbar, I guess let do the download.

Spectre, not trying to hijack your thread; but I'd be interested in anyone's thoughts on Firefox. I tried it awhile ago but was too busy to properly evaluate it. Any issues with any sites?

Quite a few people on ATS seem happy with Firefox, and I am one of them. Once in a while I will find that Firefox does something funny with the formatting of a page, but it is rare. I can't use it to access the web-interface of my broadband router, just odd little things that I can live with. The ability to integrate the ATS search into my browser is golden.

Has anyone used MYIE2? I just like the ability to tab all the sites on one open browser. MYIE2

Originally posted by titian
Spectre, not trying to hijack your thread; but I'd be interested in anyone's thoughts on Firefox. I tried it awhile ago but was too busy to properly evaluate it. Any issues with any sites?

I've been using it for quite awhile now.
Aside from fewer security holes than IE, I also enjoy the automatic popup blocking & tabbed browsing. Oh, the tabbed browsing. I don't know how I managed ATS without it!!
Also.....I have next to no spyware anymore. With IE, I had to run AdAware & Spybot weekly and it cleaned up bunches of nastiness. Not anymore. I run both progs about every other week, and it usually finds *nothing*.
There are a few sites I have to use IE for, but they're far between.

Firefox is definately a good way to go, especially with reports like this coming out.

Just a shame some of the java capabilites dont work with other browser.

I think your'll all be plensently suprised with XP SP2, ive been running the beta version since its release. no chance im going back to the land of popups and installers.

SP2 is the best thing MS have ever made, thats a statement. lol

Andy

With all non-beta updates, a friend of mine loaded up IE and browsed for no more than 20 mins. I looked over and saw the "DO NOT USE THIS BROWSER" titlebar (yeah, i made it say that and he didnt even notice). I found three new running .exe files that were located on my hard drive. This may be the same exploit that did that - but that was like a month ago. That is the absolute most insecure situation. It's not that the browser crashed, and code was executed upon termination, which one would be alerted that something just happened. It was so silent, and so seamless that microsoft should be proud. I have seen intentionally inter-operating software that doesnt work this seamlessly, without user intervention or knowledge. That's quite the coding. I only use firefox now, and if a site doesnt render properly - they get an email saying "get a real web developer that follows industry standards, and not MS-centric obscurities (though they're not obscure because everyone uses IE)". I simply will not use that site, and i will look elsewhere for the information. SP2 is more secure, but the fact that MS has taken upto 8 months for critical flaws being used in the wild to be publically admitted to is enough for me to say "not on my pc, thanks." I am trying to migrate my pcs over to other OS's but sadly, theres too much that wont run properly that i have already purchased to give up windows itself And obviously if you state something, it is a "statement".

The first hints I heard of this particular problem started back in mid-May, but it has taken this long for someone to document the flaw and outline the exploit. Since it has been in use for quite a long time explains. to a degree, the rash of spyware installs that I have come across.

That MS is not going to allow Service Pack 2 to install on the thousands+ illegal copies of XP connected to the internet paints a grim picture for the future. Those will make thousands of potential "zombie" PCs just waiting to be infected and unleashed.

When was this discovered?

Originally posted by AD5673
When was this discovered?

Security Focus has the earliest article that seems to point at an undocumented flaw that could hit a fully patched Windows machine. It was published May 14th.

I have heard many a great things about MYIE.

but the fact that MS has taken upto 8 months for critical flaws being used in the wild to be publically admitted to is enough for me to say

The problems oftern begin when you publisise the fact you have flaws, and when you release security updates.

The moment you say you have a problem, you automatically assist the sad little coders out there that just like to be destructive. Since most of the computer users out there are "like my dad" the later these destructive individuals find out about these flaws the better. It atleast gives MS the chance to do somthing about it.

I do feel strongly about MS security problems and rarely stand up for them but somtimes its nessecary. SP2 will solve alot of the issues, with inbuilt firewall which blocks all connections except those autherised and the blocking features. MS said they were now makign security top priority and indeed they are. Shame they missed the boat with XP SP1.

There are still many other problems to watch out for with some of these new HTML installers and multi trojens out there, which no browser will protect you against and with Symantic admitting lately that even Norton has a couple of major flaws allowing it to be disabled, security lands at everyones doors.

O and quick warning, new virus out that actually is a good old fassion virus, deletes all files ion your hard drive on 6th 13th 21st or 28th of the month. Beware: VBS.Pub can be descised asp, .hta, .htm, .htt, .html, .vbe or .vbs extensions.

Nice article here: patch-o-mania
www.astalavista.com...


Andy


[edit on 9-6-2004 by Andy Robins]

Originally posted by SupaFly
Has anyone used MYIE2? I just like the ability to tab all the sites on one open browser. MYIE2

I started using it today and love it so far. Lot's of features that IE should've had a long time ago. So far I'm very happy

Microsoft Comments on New Flaw

Stephen Toulouse, security program manager for Microsoft, has added his comments on the situation in an interview with ZDnet

"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."

They are not taking this lightly, and are considering creating a patch as soon as possible, rather than waiting for its regular monthly update. They are also working with the FBI to build a case against organizations installing software using the exploit.

where would one get this Mozilla Firefox browser?

Just put Mozilla Firefox in google itll take you straight there.
Just downloaded it, thankyou for the headsup.