Extremely Critical IE Vulnerability!!!

Discussion in 'Computer Support' started by TechNews, Jun 8, 2004.

  1. TechNews

    TechNews Guest

    (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)

    TITLE:
    Internet Explorer Local Resource Access and Cross-Zone Scripting
    Vulnerabilities

    SECUNIA ADVISORY ID:
    SA11793

    VERIFY ADVISORY:
    http://secunia.com/advisories/11793/

    CRITICAL:
    Extremely critical

    IMPACT:
    Security Bypass, System access

    WHERE:
    From remote

    SOFTWARE:
    Microsoft Internet Explorer 6

    DESCRIPTION:
    Two vulnerabilities have been reported in Internet Explorer, which in
    combination with other known issues can be exploited by malicious
    people to compromise a user's system.

    1) A variant of the "ms-its:" local resource access vulnerability can
    be exploited via a specially crafted URL in the "Location:" HTTP
    header to open locally installed "CHM" help files.

    Example:
    URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm

    2) A cross-zone scripting error can be exploited to execute files in
    the "Local Machine" security zone.

    Secunia has confirmed the vulnerabilities in a fully patched system
    with Internet Explorer 6.0. It has been reported that the preliminary
    SP2 prevents exploitation by denying access.

    Successful exploitation requires that a user can be tricked into
    following a link or view a malicious HTML document.

    NOTE: The vulnerabilities are actively being exploited in the wild to
    install adware on users' systems.

    SOLUTION:
    Disable Active Scripting support for all but trusted web sites.

    Remove support for the "ms-its:" URI handler.

    PROVIDED AND/OR DISCOVERED BY:
    Originally discovered in the wild.
    Detailed analysis of exploit by Jelmer.

    OTHER REFERENCES:
    Jelmer's posting on Full-Disclosure:
    http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html

    ----------------------------------------------------------------------

    About:
    This Advisory was delivered by Secunia as a free service to help
    everybody keeping their systems up to date against the latest
    vulnerabilities.

    Subscribe:
    http://secunia.com/secunia_security_advisories/

    Definitions: (Criticality, Where etc.)
    http://secunia.com/about_secunia_advisories/

    --
    Reliability:Speed:Security:Linux
     
    TechNews, Jun 8, 2004
    #1
    1. Advertising

  2. TechNews

    Toolman Tim Guest

    TechNews wrote:
    > (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
    >
    > TITLE:
    > Internet Explorer Local Resource Access and Cross-Zone Scripting
    > Vulnerabilities


    <snipped>

    Yet another reason to keep Windows fully updated and not panic or scream
    "The sky is falling" all over Usenet.

    --
    Of all the things I've lost, it's my mind I miss the most. ~M. Twain
     
    Toolman Tim, Jun 9, 2004
    #2
    1. Advertising

  3. TechNews

    TechNews Guest

    Toolman Tim wrote:

    > TechNews wrote:
    >> (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
    >>
    >> TITLE:
    >> Internet Explorer Local Resource Access and Cross-Zone Scripting
    >> Vulnerabilities

    >
    > <snipped>
    >
    > Yet another reason to keep Windows fully updated and not panic or scream
    > "The sky is falling" all over Usenet.
    >


    You really mean yet another reason to dump windows and IE. You make it
    sound as if keeping windows fully updated is a stroll in the park.

    Microsoft makes users pay once again.

    --
    Reliability:Speed:Security:Linux
     
    TechNews, Jun 9, 2004
    #3
  4. TechNews

    Duane Arnold Guest

    TechNews <> wrote in news:726cb210d44e97c9d35d960d07b6cc58
    @news.1usenet.com:

    > Toolman Tim wrote:
    >
    >> TechNews wrote:
    >>> (Yet another reason to use Netscape, Opera, Mozilla, or Eudora...)
    >>>
    >>> TITLE:
    >>> Internet Explorer Local Resource Access and Cross-Zone Scripting
    >>> Vulnerabilities

    >>
    >> <snipped>
    >>
    >> Yet another reason to keep Windows fully updated and not panic or

    scream
    >> "The sky is falling" all over Usenet.
    >>

    >
    > You really mean yet another reason to dump windows and IE. You make it
    > sound as if keeping windows fully updated is a stroll in the park.
    >
    > Microsoft makes users pay once again.
    >


    I have no problems using MS products and refuse to come anywhere near
    Linux. I am pretty sure if Linux has the number of *clueless* users using
    Linux as does MS, the situation would be no different.

    Duane :)
     
    Duane Arnold, Jun 9, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ron
    Replies:
    29
    Views:
    1,082
    Ed Mullen
    Nov 15, 2005
  2. DJ Code

    *extremely critical* notices about Firefox 1.x

    DJ Code, May 8, 2005, in forum: Computer Security
    Replies:
    7
    Views:
    654
    Michael Pelletier
    May 10, 2005
  3. NIST.org
    Replies:
    38
    Views:
    1,514
  4. Au79
    Replies:
    2
    Views:
    437
    Fuzzy Logic
    Nov 7, 2006
  5. Au79
    Replies:
    1
    Views:
    405
Loading...

Share This Page