Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Extremely Critical IE Vulnerability!!!

Reply
Thread Tools

Extremely Critical IE Vulnerability!!!

 
 
TechNews
Guest
Posts: n/a
 
      06-08-2004
(Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)

TITLE:
Internet Explorer Local Resource Access and Cross-Zone Scripting
Vulnerabilities

SECUNIA ADVISORY ID:
SA11793

VERIFY ADVISORY:
http://secunia.com/advisories/11793/

CRITICAL:
Extremely critical

IMPACT:
Security Bypass, System access

WHERE:
From remote

SOFTWARE:
Microsoft Internet Explorer 6

DESCRIPTION:
Two vulnerabilities have been reported in Internet Explorer, which in
combination with other known issues can be exploited by malicious
people to compromise a user's system.

1) A variant of the "ms-its:" local resource access vulnerability can
be exploited via a specially crafted URL in the "Location:" HTTP
header to open locally installed "CHM" help files.

Example:
URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm

2) A cross-zone scripting error can be exploited to execute files in
the "Local Machine" security zone.

Secunia has confirmed the vulnerabilities in a fully patched system
with Internet Explorer 6.0. It has been reported that the preliminary
SP2 prevents exploitation by denying access.

Successful exploitation requires that a user can be tricked into
following a link or view a malicious HTML document.

NOTE: The vulnerabilities are actively being exploited in the wild to
install adware on users' systems.

SOLUTION:
Disable Active Scripting support for all but trusted web sites.

Remove support for the "ms-its:" URI handler.

PROVIDED AND/OR DISCOVERED BY:
Originally discovered in the wild.
Detailed analysis of exploit by Jelmer.

OTHER REFERENCES:
Jelmer's posting on Full-Disclosure:
http://archives.neohapsis.com/archiv...4-06/0104.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

--
Reliability:Speed:Security:Linux
 
Reply With Quote
 
 
 
 
Toolman Tim
Guest
Posts: n/a
 
      06-09-2004
TechNews wrote:
> (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
>
> TITLE:
> Internet Explorer Local Resource Access and Cross-Zone Scripting
> Vulnerabilities


<snipped>

Yet another reason to keep Windows fully updated and not panic or scream
"The sky is falling" all over Usenet.

--
Of all the things I've lost, it's my mind I miss the most. ~M. Twain


 
Reply With Quote
 
 
 
 
TechNews
Guest
Posts: n/a
 
      06-09-2004
Toolman Tim wrote:

> TechNews wrote:
>> (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
>>
>> TITLE:
>> Internet Explorer Local Resource Access and Cross-Zone Scripting
>> Vulnerabilities

>
> <snipped>
>
> Yet another reason to keep Windows fully updated and not panic or scream
> "The sky is falling" all over Usenet.
>


You really mean yet another reason to dump windows and IE. You make it
sound as if keeping windows fully updated is a stroll in the park.

Microsoft makes users pay once again.

--
Reliability:Speed:Security:Linux
 
Reply With Quote
 
Duane Arnold
Guest
Posts: n/a
 
      06-09-2004
TechNews <(E-Mail Removed)> wrote in news:726cb210d44e97c9d35d960d07b6cc58
@news.1usenet.com:

> Toolman Tim wrote:
>
>> TechNews wrote:
>>> (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
>>>
>>> TITLE:
>>> Internet Explorer Local Resource Access and Cross-Zone Scripting
>>> Vulnerabilities

>>
>> <snipped>
>>
>> Yet another reason to keep Windows fully updated and not panic or

scream
>> "The sky is falling" all over Usenet.
>>

>
> You really mean yet another reason to dump windows and IE. You make it
> sound as if keeping windows fully updated is a stroll in the park.
>
> Microsoft makes users pay once again.
>


I have no problems using MS products and refuse to come anywhere near
Linux. I am pretty sure if Linux has the number of *clueless* users using
Linux as does MS, the situation would be no different.

Duane
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows hit by "extremely critical" 0-day vulnerability Au79 Computer Support 2 11-07-2006 09:16 PM
Extremely critical flaw detected in Microsoft Word Au79 Computer Support 5 05-22-2006 11:38 AM
"Extremely Critical" New zero-day Windows vulnerability being exploited. NIST.org Computer Security 38 01-05-2006 06:37 PM
Mozilla Firefox Two Vulnerabilities Extremely critical ( Release Ron Firefox 29 11-15-2005 10:12 PM
*extremely critical* notices about Firefox 1.x DJ Code Computer Security 7 05-10-2005 07:37 AM



Advertisments