The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Two New IE Bugs Uncovered
Time: 00:08 EST/05:08 GMT | News Source: CRN | Posted By: Kenneth van Surksum

Security analysts Wednesday warned users of a pair of unpatched bugs in Microsoft's popular Internet Explorer browser that may soon be in play because proof-of-concept code has gone public for both.

One vulnerability lets attackers execute their code remotely if they can dupe users into double-clicking on a file included in a malicious Web page. The Internet Storm Center claimed that the current proof-of-concept exploit code requires this kind of user interaction, but that went on to warn that "we can expect to find creative use of this exploit in the wild very soon." According to the ISC, disabling IE's active scripting capabilities might protect against an exploit of the bug.

The second flaw is due to a failure of IE to enforce cross-domain policies, Symantec said in a warning to customers of its DeepSight threat system. IE, which has been victimized by numerous cross-domain vulnerabilities, could be exploited to hijack usernames and passwords.

Write Comment
Return to News

  Displaying 1 through 25 of 344
Last | Next
  The time now is 8:04:09 AM ET.
Any comment problems? E-mail us
#1 By 15406 (216.191.227.68) at 6/29/2006 8:21:04 AM
I would make my usual caustic comments at this week's "own your box" IE holes, but it's getting so easy, to the point where it's almost no fun anymore. It's like laughing at the Sun for rising each morning.

#2 By 32132 (64.180.219.241) at 6/29/2006 9:38:56 AM
"According to Secunia's quick test, IE 7 Beta 2 is not vulnerable to the cross-domain vulnerability. That's not surprising, since the Redmond, Wash. developer has claimed the browser's code was rewritten to reduce its cross-domain scripting profile. "

Get IE7.

#3 By 32132 (64.180.219.241) at 6/29/2006 10:07:58 AM
IE7 Beta 3 is out.

http://windowsconnected.com/blogs/joshs_blog/archive/2006/06/29/3195.aspx

#4 By 15406 (216.191.227.68) at 6/29/2006 11:02:45 AM
MS has had, and blown, too many chances already. Get Firefox.

http://www.getfirefox.com/

#5 By 37047 (216.191.227.68) at 6/29/2006 11:19:11 AM
Or, if you just don't want to get Firefox, Opera is an option as well.

http://www.opera.com/

#6 By 32132 (64.180.219.241) at 6/29/2006 11:50:16 AM
#4 Unfortunately Firefox has squandered its chances by being chock full of security holes:

http://www.mozilla.org/security/announce/

They should rename Firefox, take a year off for a security review, and promise to get it right this time!

#7 By 15406 (216.191.227.68) at 6/29/2006 2:07:41 PM
#7: GalacticJello = Parkkkker

Thanks for reciting one of MS' talking points. However, it does not follow that there will be more flaws found for an app that has a larger amount of attention. Perhaps an analogy would help you. You and 1000 of your friends will likely be able to breach an open barn, but not a bank vault. If there isn't much to find, much won't be found. IE is chock full of endless bugs, and with many eyes looking for them, they appear endlessly.

As bad as your first argument was, the second is even worse. Open source does not mean that there will be no bugs, ever. That's just stupid to even say something like that. What it actually does do is give others the opportunity to examine the code themselves and make fixes or suggestions if they find something.

Mozilla has released a whole nine advisories? Wow. Is that a lot?

btw Parkkker, making up new logins so that you can appear to have others backing up your nonsense is pathetic.

#8 By 37047 (216.191.227.68) at 6/29/2006 3:22:28 PM
#9: You point out another important difference between open and closed source models. With open source, you can easily access the bug database and see all outstanding bugs against a system. In a closed source environment, all you have access to is the bugs that are fixed and the closed source company decides to mention to you. The defects that are still outstanding are unknown to you, and anything that was fixed that they don't wish to tell you about is hidden from you.

Therefore, saying to look at the Bugzilla database for the outstanding Firefox defects is almost meaningless unless we can get access to the defect tracking system Microsoft uses, and compare the number of outstanding IE bugs to the number of outstanding Firefox defects.

#9 By 15406 (216.191.227.68) at 6/29/2006 3:29:57 PM
#9: What about your sig? Any idiot can make a new ID here. You sure sound like Parkkker, complete with out-of-context "facts". Only a tard like Parkkker would defend IE, the most insecure app ever created. Parkkker likes to make grandiose claims about all the systems and sites he maintains, while you're trying to get me to believe you're an OS hacker. Pffft!, I say. You're so full of it. Parkkker has posted several times with latch = [some_insult_here] as the first line of his post, and by wild coincidence so did you. Face it, you're nailed, Parkkkkker.

As for your Ford vs Chevy analogy, it isn't moronic at all. Say I've been driving Ford for 10 years and they give me nothing but problems. Then I drive a Chev for a few years and it's nothing but sweetness. Am I a fool for preferring Chev? Only a Ford fanatic would think so.

#10 By 32132 (64.180.219.241) at 6/29/2006 4:21:10 PM
#10 "With open source, you can easily access the bug database and see all outstanding bugs against a system. "

Except for the ones Bugzilla keeps secret.

There are dozens of these:

https://bugzilla.mozilla.org/show_bug.cgi?id=336830

"You are not authorized to access bug #336830."

In fact, most of the last batch of Firefox bugs are secret to this day.

#11 By 32132 (64.180.219.241) at 6/29/2006 4:21:57 PM
#11 What a maroon! I never call you a troll. I always call you a moron.

This post was edited by NotParker on Thursday, June 29, 2006 at 16:22.

#12 By 32132 (64.180.219.241) at 6/29/2006 7:29:39 PM
You know whats funny. One of the bugs is also a bug in Firefox. Those OSS fanatics. Always stealing ideas from Microsoft!

:)

http://news.zdnet.com/2100-1009_22-6089817.html

"Two new security flaws have been discovered in Microsoft's Internet Explorer, and one can be replicated in Mozilla's Firefox, security experts have warned.

Code for both of the vulnerabilities has been published, but currently there are no reports of attackers who have taken advantage of these flaws, the SANS Internet Storm Center, which monitors network threats, said in an advisory released Wednesday.

The flaw that affects both IE and Firefox is related to the handling of the object.documentElement.outerHTML property, according to the advisory. That technology is used to access documents delivered from one Web site to another. "

I predict Latch, disgusted by the lack of security in Firefox, will switch to IE7.

This post was edited by NotParker on Thursday, June 29, 2006 at 19:30.

#13 By 23603 (70.82.83.103) at 6/29/2006 9:41:09 PM
OUTCH!!!! Point goes to NotParker....

#14 By 23275 (68.17.42.38) at 6/29/2006 10:40:37 PM
#15, Ditto that... NotParker handed Latch his fourth point of contact tonight.


#15 By 37047 (216.191.227.68) at 6/30/2006 11:18:31 AM
#14: You should have a look at the original SANS notice. They have an update that might interest you and GalacticJello. Here is the text of the update, dated today:

"UPDATE 06/30/06
After doing more research on this vulnerability and with great help from our readers (thanks to Dan and another reader) it seems that Mozilla Firefox is not affected by this vulnerability.

The (obvious) reason for this is that Firefox doesn't support the outerHTML property at all (innerHTML property is supported). As this property is not supported, the original context can't get any data from the HTML that was loaded into the <object> tag.

If you test this with the original PoC posted on Full Disclosure, you can notice that Firefox will load the target web page into the object tag, but the alert call (which is in the original context) will not be able to get any data. If you use Internet Explorer 6 this is not the case as the original context script can access data that was loaded into the object tag.

The fact that Firefox displays the target web page has nothing to do with this vulnerability (apart from the fact that it can confuse the user, but that's another story); so in this context it's no different than using an iframe.

Internet Explorer 7 is also not affected by this vulnerability."

So, as can be seen, Firefox and IE7 are both unaffected by this vulnerability. So the score on these two holes are back to being IE 6 -> 2, Firefox -> 0.

#16 By 15406 (216.191.227.68) at 6/30/2006 11:22:57 AM
#12: Do you think it's smart to publicize a bug in such a way that it can be exploited before it's fixed? I don't. And seeing all but the most sensitive bugs is better than seeing none at all. How many known bugs have sat in IE for years that we don't know about?

#13: I can't help that you use insults when your arguments are worthless.

#14: So IE has 100% more serious flaws than Firefox this week. And you're happy about that? Congratulations.

#15: Parkkker can have all the points he wants. Maybe he can redeem them for a Cupie doll.

#16: Parkkker admits IE has more holes than Firefox, so he wins. I look forward to Parkkker 'winning' on a weekly basis then.

#17: Whatever. You go on using Windows and IE with your smug sense of superiority about being a "real user." However, you are right on exactly one thing: when IE vX comes out, I won't try it. Why would I? Firefox works well enough and it isn't anywhere near as exploitable as IE. With a horrible record of business ethics and app security, why would I want to use their crap?

#17 By 32132 (64.180.219.241) at 6/30/2006 11:27:02 AM
#18 You forgot where Firefox is now keeping all of its recent bugs secret on Bugzilla.

Firefox --> 42 points for being secretive weasels!

IE7 rocks!


And thanks for SANS link: 3 points for Open Office!


OpenOffice.org Vulnerabilities
Published: 2006-06-30,
Last Updated: 2006-06-30 02:14:13 UTC by David Goldsmith (Version: 1)

OpenOffice.org released a security bulletin today that addresses three security issues in the OpenOffice.org software which were discovered during an internal code audit. The vulnerabilities affect both the older 1.1.x and the newer 2.0.x releases. OpenOffice.org has released version 2.0.3 which resolves the issues. A patch for version 1.1.5 will be available soon. Without the patch, one of the issues has a possible workaround to alleviate the issue; the other two do not.

OpenOffice.org has additional security notes on their site that address the three specific issues:


Java Applets

It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.

A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.

Macros

A flaw with the macro mechanism could allow an atatacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.

There is no workaround for this issue

File Format

A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.

There is no workaround for this issue.

#18 By 15406 (216.191.227.68) at 6/30/2006 12:42:25 PM
#21: Wow, you really do know it all, don't you? Yep, I call him Parkkker because of his known affiliation with white supremacy groups....

Considering you've been around here supposedly forever, I find it interesting that you don't know that NotParker used to be known as Parkker. I throw in an extra k or two just for laffs. But of course you would jump to the most negative assumption. I can see why you only have ~30 posts -- nothing to offer but personal attacks. Feh.

#19 By 37047 (216.191.227.68) at 6/30/2006 12:45:33 PM
#20: MS Excel has had 3 security fixes in the last week alone. And that does not include the patches I just installed for Word, Powerpoint, OneNote, etc. So, 3 issues in all of OpenOffice is not so terrible in comparison.

Any company claiming to have zero defects ever, is baldly lying. This is not even possible for any piece of software more complex than a "Hello World" app. And I've even seen bugs in Hello World implimentations. The real issue is not how many defects a product has, unless the number is really high, but rather how open the company is about publicizing them and fixing them in a timely manner. Microsoft, Mozilla Foundation, and Opera Software, and every one else too, have an obligation not to make too much information known about security holes before a patch is available, otherwise exploits will be created before a patch can be created. This would be bad for the user, and the company's image as well.

So, all software has bugs. Good companies acknowledge them and fix the quickly, and bad ones ignore them at their own peril. IE may have more holes per "x" lines of code, but at least MS is good about fixing the worst of them in a timely manner. Most, if not all, of the major software makers are.

Who has more or less defects in a given 1 week period is a meaningless measurement vector. The total number of new defects found per year may be more significant, or the total number of defects found for a major version, comparing all IE 6 defects found to date to all Firefox 1.x defects found to date, normalized to account for the difference in amount of time each has been publically available. Take the grand total for each product and divide each by the number of months each has been available would give a much better view of the true quality of each.

If anyone knows of such an independant study, please provide the link to the study, not just an out-of-context quotation from it.

#20 By 32132 (142.32.208.232) at 6/30/2006 1:01:16 PM
#22 "I call him Parkkker because of his known affiliation with white supremacy groups.... "

What a moron. You hate me because every once in a while I stand up for Israel and jews.

Jew hating is the preserve of the Bush hating left and the loony right. I'm neither. You and Kabuki and the other Al Quada supporters are into that kind of stuff.

#21 By 32132 (142.32.208.232) at 6/30/2006 1:02:41 PM
#23 Firefox was averaging an exploit every 4.4 days. The latest release upped that to something like 2 - 3 days per security hole.

http://blog.eweek.com/blogs/larry_seltzer/archive/2006/05/03/9589.aspx

"With the latest update to Firefox there have been 28 vulnerability advisories this year, 15 of them "Critical." That's in 122 days.

Does anyone else think this is a fairly rapid pace? There were 56 advisories for Firefox in all of 2005 (16 of them "Critical"), or roughly one every 6.5 days. (The first one was in January, 2005, so I'll assume the whole year for this argument.) This year the incidence has gone up to roughly one every 4.4 days, and the number of Critical ones has skyrocketed."

This post was edited by NotParker on Friday, June 30, 2006 at 13:04.

#22 By 32132 (142.32.208.232) at 6/30/2006 1:05:37 PM
Whats with the KKK smear job going on?

Is that the new OSS fanatic tactic. If you don't kiss the *ss of Firefox, you are in the KKK?

You guys are deranged!

#23 By 15406 (216.191.227.68) at 6/30/2006 1:56:39 PM
"It is a debate about people blindly trusting one piece of software over another."

It is? Since when? I was under the impression that this was a debate about IE being crap compared to Firefox. See, that's the problem with guys like you and Parkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkker. Everything is black or white. No room in the middle. Me saying IE is crap does not mean I believe Firefox is perfect. I am frequently critical of FOSS projects. Park_k_k_k_k_ker is the only one I know that blindly trusts anything, that 'anything' being MS. Maybe you should debate him.

#24 By 37047 (216.191.227.68) at 6/30/2006 3:53:45 PM
Today is June 30th. The 181st day of the year. 181 / 28 = 6.46, which is just shy of one per week. I'd like to see some stats showing the same numbers for IE vulnerabilities for the current year, for all IE versions, right back to 1.0.

#25 By 32132 (64.180.219.241) at 7/1/2006 2:46:11 PM
#29 43 as of June 1st. June 1st was day 152. 152 / 43 = 3.53 which is 2 per week.

http://www.mozilla.org/security/announce/

Firefox has gone to a monthly patch cycle, so in early July we can redo the count. As of now, 2 per week looks pretty shoddy.

You go ahead an count IE vulnerabilities. I'll go back and count Netscape/Mozilla/Phoenix/Firefox ones. Firefox will have the higher count.

Write Comment
Return to News
  Displaying 1 through 25 of 344
Last | Next
  The time now is 8:04:09 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *