| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Attack code targets new IE hole | |
|
||
| Time: 06:44 EST/11:44 GMT | News Source: News.com | Posted By: Jonathan Tigner | ||
|
Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned. The code was published on public Web sites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, the company representative said in a statement Thursday. "Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls. IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 230 Last | Next |
The time now is
10:44:50 PM
ET.
Any comment problems? E-mail us |
| #1 By 15406 (216.191.227.68) at 9/15/2006 8:36:59 AM |
|
ANOTHER own-your-box IE hole? Say it ain't so, Parkkker!
|
| #2 By 32132 (142.32.208.238) at 9/15/2006 11:26:48 AM |
|
ANOTHER 7 Firefox security holes.
Say it ain't so Latch. http://www.mozilla.org/projects/security/known-vulnerabilities.html |
| #3 By 478 (65.101.166.122) at 9/15/2006 12:46:56 PM |
| NOBODY and no product is 100% correct, 100% of the time. Is a fact of life. Finding something wrong should be constructive a endevour, not a vindictive action. I wonder how the french will like to have posted to the world, an efective way to blow up the Eifel Tower and the hell with advicing the police first. |
| #4 By 15406 (216.191.227.68) at 9/15/2006 1:48:46 PM |
| #2: You mean the ones that were just patched? It ain't so, since they're already patched. I'm not sure how you can compare fixed problems to open problems, but you're kind of strange that way. Don't worry though. MS will have your IE patched in about a month or so, maybe more. And then they'll patch it again in another month or so. And then maybe they'll patch it again. For the same problem. |
| #5 By 17996 (131.107.0.102) at 9/15/2006 4:04:24 PM |
|
This is a serious vulnerability, but at least Microsoft has already published an advisory which gives instructions on how to block the faulty object from loading (i.e. how to kilbit it). Enterprises have the information they need to protect themselves since they can easily push out this killbit to all their computers.
Consumers on the other hand can either set the killbit themselves or wait until the next Patch Tuesday. |
| #6 By 13030 (198.22.121.110) at 9/15/2006 4:40:11 PM |
|
I was going to post right after Latch this morning about how we can expect the standard issue NotParker misdirection post...
The MSFT stock challenge still stands even though I know NotParker isn't up to it and never will be. |
| #7 By 32132 (142.32.208.238) at 9/15/2006 5:02:37 PM |
|
#6 Firefox makes it so easy for me. 64 security holes this year so far.
|
| #8 By 15406 (24.43.125.29) at 9/15/2006 9:09:23 PM |
|
#7: And how many outstanding megabugs are in IE at this very moment? I guess we'll never know as they used a closed process. Based on this graph here:
http://secunia.com/product/11/?task=statistics_2006 IE 6 has 36% of their reported advisories (14 total) unpatched for this year versus 10% (10 total) for all versions of Firefox 1.x: http://secunia.com/product/4227/?task=statistics_2006 This post was edited by Latch on Friday, September 15, 2006 at 21:11. |
| #9 By 17996 (66.235.19.95) at 9/15/2006 9:56:19 PM |
|
#8, you need to dig a little deeper. Of those "36%", what is the severity? How much interaction is needed? Does the flaw require Flash or Excel to be installed (http://secunia.com/advisories/13156/)? This one (http://secunia.com/advisories/13317/) requires the user to right-click a file and do "save picture as". This one (http://secunia.com/advisories/13872/) lets you find out whether a given file exists on the user's PC -- but not the contents of the file. A minor bug not worth worrying about, and surely its fixed in IE7.
If the 36% were all remote execution bugs, then there'd be more reason to worry. Plus, if you look at Secunia's page for this latest DirectAnimation bug, you'll notice (as I write this, at least) that it says its status is "unpatched" when I'd say its status should be "vendor workaround", since MS has provided a workaround (the killbits). |
| #10 By 17996 (66.235.19.95) at 9/16/2006 12:50:30 AM |
|
Also #8, the numbers you give are kind of interesting. "IE 6 has 36% of their reported advisories (14 total) unpatched for this year versus 10% (10 total) for all versions of Firefox 1.x"
14 = .36x, x = 38 advisories for IE6 10 = .10x, x = 100 advisories for Firefox I haven't done any counting but that number seems a bit high for Firefox...? |
| #11 By 23275 (68.17.42.38) at 9/16/2006 3:06:38 AM |
|
My curiosity remains very simple: how thorough a look is being applied by how many people against IE 6, vice those devoted to exploring Firefox?
I submit that IE 6 is placed under far greater scrutiny by entire companies whose business model it is to find and publish vulnerabilities in the program. If Firefox, or any program were subject to equal measures of scrutiny, how well would it fair as compared to IE 6? I also submit that with the impending release of IE 7 and most especially IE 7 as implemented under Vista, that similar effort has and is being applied toward it as it for IE 6 - and no one has yet identified much. In fact, the companies that have profited most from the holes found in software - including IE 6, aren't saying much beyond how Micorsoft is now hurting their businesses. I ask, what will many people say when it is discovered that it is very hard to meaningfully exploit Vista via IE 7? I assess they will have to find something else to speak to - or as they now do, they post wild headlines like, "CRITICAL FLAW FOUND IN MSWORD...." - yet they will fail to include the detail that the falw is restricted to Word 2000 and that Word XP, 2003, and 2007 are not affected! Latch, you've used this one this week in at least two posts and its inappropriate to speak so directly and at the same time, exclude relevant detail. I bet the industry will do the same thing in a few months and the headlines will scream, "YET ANOTHER FLAW FOUND IN IE!" - yeah, IE 5, or 6 and not 7 and certainly not IE 7 under Vista. I swear, IT/MIS press people must have originally worked for Pravda in the former Soviet Union - "A great race was held today... and the Soviet driver finished second in a close race, while the American driver finished second to last!" Of course, the Soviets would exclude the detail that there were only two cars in the race... |
| #12 By 32132 (64.180.219.241) at 9/16/2006 11:19:37 AM |
|
#10 "that number seems a bit high for Firefox"
Mozilla's list comprises 64 official "Security Advisories" However, many are multiples like this one: http://www.mozilla.org/security/announce/2006/mfsa2006-64.html It has 29 seperate bug numbers in Bugzilla. This one has 3: http://www.mozilla.org/security/announce/2006/mfsa2006-60.html This one has 2, each with its own CVE #: http://www.mozilla.org/security/announce/2006/mfsa2006-57.html And those are just from the latest batch. Do I think Firefox's 64 "Security Advisories" could comprise 100 or more seperate security holes? Yes. Could I dig deeper? No. Most are embargoed so if you click on the Bugzilla url you get: "Access Denied You are not authorized to access bug #346090. To see this bug, you must first log in to an account with the appropriate permissions. " https://bugzilla.mozilla.org/show_bug.cgi?id=346090 |
| #13 By 2960 (68.101.39.180) at 9/18/2006 1:47:37 PM |
|
And the number of FireFox attacks vs. IE attacks is what? About 1:1000 ?
|
| #14 By 15406 (216.191.227.68) at 9/18/2006 4:47:42 PM |
|
#12: In Parkkker's world, every bug (even a typo in the About box), is a "Security Vulnerability!". Please. As for your whining about not being able to get access to the restricted bugs, let's compare with MS shall we? Oh right, we can't. There is no public MS bug database. Looks like ALL MS bugs are restricted to the point you don't even know there's a bug until after you're owned.
|
| #15 By 23275 (68.17.42.38) at 9/18/2006 10:54:34 PM |
|
Latch has a good point here - there could and should be a lot more transparency about MS BUGS/Vuls than there is. There is no real reason not to publish reviews "after" patches have been supplied and enough time to proliferate them to systems has gone by. Yes, some information is supplied, but not enough - not enough to understand, or should I say, build an understanding as to what those who exploit their software are looking for.
Waiting until people and business are well and truly hurt is not a good policy and making products secure - no matter how sincere or effective the solutions are, is not enough either - it does not pay proper respect to the partners and customers, many of whom spent countless hours and billions dealing with less secure software dealing with one nightmare after another. We all can well rember the many attacks that while we may not have been directly hit - we were all impacted - as many thousands of Windows machines in the hands of under-protected home and small business broadband users were rooted and used to attack so many. Comparisons between Microsoft and all others aren't valid, either - I assess Microsoft has to be far better - set a far better example and lead. That's the responsibility that comes with who and what they have chosen to be. I do assess that as a company, Microsoft got that message and it did take considerable action at its own expense - well at an expense that was shared by its customers and partners - we all got burned for a while. This one has to go to Latch - may be for different reasons... but that does not matter - Microsoft has to lead - they are doing that in this area, now - I just hope they never forget the lessons we all learned the hard way. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 230 Last | Next |
The time now is
10:44:50 PM
ET.
Any comment problems? E-mail us |
