| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
New vulnerabilities hit Firefox and Internet Explorer | |
|
||
| Time: 00:06 EST/05:06 GMT | News Source: News.com | Posted By: Kenneth van Surksum | ||
|
Security researcher Michal Zalewski has published four new vulnerabilities to the Full Disclosure mailing list for Microsoft Internet Explorer and Mozilla Firefox. There are no patches yet available from either vendor. The most serious is MSIE page update race condition, where users navigating with JavaScript from one page to another page with the same domain experience a window of opportunity for attackers to concurrently execute JavaScript to perform actions with the permissions of the previous page. The next most severe is Firefox Cross-site IFRAME hijacking where an attack against about:blank frames could allow malicious code execution. Zalewski also published two medium-threat vulnerabilities, one each for Firefox and Internet Explorer. Firefox file prompt delay bypass allows an "attacker to download or run files without user's knowledge or consent." And, finally, Internet Explorer 6 URL bar spoofing is a URL spoofing vulnerability. This last vulnerability does not affect Internet Explorer 7. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 312 Last | Next |
The time now is
1:53:08 PM
ET.
Any comment problems? E-mail us |
| #1 By 23275 (24.179.4.158) at 6/5/2007 11:50:54 AM |
|
Why do they always leave out how Windows Vista and IE 7 Protected Mode/Securable Objects mitigates such things?
For example, say one moves from an untrusted zone in IE 7 on Vista to a trusted zone [where one has manually de-selected default security settings (as an example)], Vista/IE 7 will immediately alert and prompt the user and advise of what it is doing - mitigating the update race condition vuln. I assess it is appropriate to disclose and discuss mitigations - as important as declaring "glaring Zero-Day" vulns. is. This in now way diminishes the importance of vulns. and follow-on work to patch and prevent the same - it is to say that full disclosure regarding just how good and helpful securable objects/Protected Mode in IE 7 under Vista actually is at helping mitigate such vulns. Quick Upate - what I pointed out about Protected Mode and zones works the other way around, too - so exploit code in one zone can't execute under Vista/IE 7. Users of Vista/IE 7 would remain safer. This post was edited by lketchum on Tuesday, June 05, 2007 at 11:56. |
| #2 By 23275 (24.179.4.158) at 6/5/2007 12:03:04 PM |
|
Ref #1, above -
At worst, under Vista/IE 7 the most serious exploit just loops, does nothing outside protected mode and times out after 120 seconds. It demonstrates how IE 7 in Protected Mode works to isolate such code from user space - where all users under Vista are Standard Users [in reality (with admin level Standard Users being relieved of the need to re-enter credentials)]. |
| #3 By 15406 (216.191.227.68) at 6/5/2007 12:41:52 PM |
|
Perhaps it's because every news story isn't supposed to be a promotional ad for MS? IE7 is affected by one of the two new issues, regardless of the relative severity. However, it is good to see IE7 lessen the effect of the attack as compared to IE6. This post was edited by Latch on Tuesday, June 05, 2007 at 12:46. |
| #4 By 23275 (24.179.4.158) at 6/5/2007 1:00:21 PM |
|
The reality of Protected Mode, what it is and what it means, is not an ad - it is the truth.
The headlines are reading, "Glaring Hole in Fully Patched IE 7 and FF" [latest versions and both fully patched]. This is not true. The latest version of IE 7 is IE 7 [formerly called IE 7 Plus], under Windows Vista [all versions], which clearly prevent the exploit code from executing [by default]. Again, these are facts, not advertising. It is important that mitigations be included, so that consumers and professionals may be properly informed and therefore able to make better decisions about what systems to buy and use. If IE 7 under Windows Vista is substantively safer and more secure by default - by design, then this information and relevant examples should be disclosed as important information - not withheld, or obfuscated - that is not the purpose of journalism, which is supposed to properly and fully inform. As I have shared here many times, "how" Windows Vista was built [and will be built upon and improved] was the most significant and beneficial part of the new OS. That is directly related to undiscovered flaws in the new OS - which may be mitigated by the use of securable objects in IE 7's default Protected Mode - isolating code execution from even user space and canalizing it within a very restrictive environment from which it may not execute on its own. That larger story isn't being told at all and I wonder why our industry continues to ignore facts that have been available for over a year. The practice is not serving the public interest well at all. |
| #5 By 23275 (24.179.4.158) at 6/5/2007 2:39:06 PM |
|
Tangent(Tm) Alert.
While I'm on the subject of how poorly our press is serving the public in the context of security... certainly [and some folks with sheer glee] most of us will recall how widely and loudly it was reported a few weeks back, that Windows Live OneCare had scored poorly on certain tests and was therefore branded in ways similar to this, "OneCare sucks" as posted on Twit.tv [www.twit.tv] episode, #18 Titled, "Windows Weekly 18: Windows NoCare" - which was net cast on March 23rd, 2007, http://www.twit.tv/ww18 Ok. Well the back story was that the tests themselves were designed in a way that is more consistent with the detection engines found in more well known security products and that Windows Live OneCare, due to how its detection engine works, would not perform as well on the lab tests, but would likely perform as well in the real world. In the meantime, the devs at Microsoft created a new build - one that includes some of the engine parts that would respond more consistently with existing tests and the news is that both West Coast Labs and ICSA Labs re-certified Windows Live OneCare [again]. See the Windows Live OneCare Team Blog here, http://windowsonecare.spaces.live.com/ and update to build 1.6.2111.10 [if not auto-updated, already - see help | about, for the build if you are a OneCare user]. So the drill is this - it seems that Microsoft's detractors make haste when reporting what appears to be bad news about Microsoft products [whether the facts and truth support it or not], but they are slow, or absent when it comes to reporting facts which emerge later, or when problems are solved. It doesn't matter what the issue is - or who the person or company is in many cases - ref the drubbing Apple took over not being green enough, when in fact, Apple's actual business operations and policies were greener than many others. So how do such practices help people and how in heck are they couched as journalism - and why are they appearing on sites where users do turn for answers if the answers provided do not offer assistance, or resolutions that are as easy to find as the initial drubbings? Millions of people are going to read the journals and sites that carry such half truths, or outright falsehoods. Like, maybe 3 people will read this post and it's probable that they will be running something other than OneCare. |
| #6 By 15406 (216.191.227.68) at 6/5/2007 2:41:53 PM |
|
Many Firefox exploits could be totally neutralized with help from 3rd-party extensions like NoScript, but there is no such disclaimer when the exploit is announced. Other 3rd-party products harden the defaults for many apps. Should every flaw disclosure include a list of all possible ways to mitigate the attack? The article is about the introduction of new flaws, and not an examination of the relative severity of the attack based on differing security models. That's probably why they don't fluff Protected Mode. They have to address the majority, and everyone is still using IE6 for the most part. That is a fact. As for IE7 being safer & more secure by default, I've said before that that's a determination that you can only make in hindsight. I believe MS designed it to work around attack vectors it already knew about, and the new sandbox may be better at keeping web content in check. From what I understand, Sun also intended Java to have a secure sandbox -- except for all the exploits that they had to fix. Every version of Windows is touted as being all about security etc etc. Then, a few years down the road, after Windows has been savaged in 1,000 different ways, the new Windows comes out and it's - wait for it - going to be the most secure Windows ever! But it will also be full of holes. In the end, advice like 'move to Vista & IE7' may not be quite as helpful as you think. More of a 'devil you know' situation, if you ask me.
|
| #7 By 23275 (24.179.4.158) at 6/5/2007 3:25:55 PM |
| #6, for that to be true any longer, the separations between user space and that used by secured objects would have to be breeched. That is much less likely to happen. |
| #8 By 15406 (216.191.227.68) at 6/5/2007 3:54:01 PM |
| #7: Perhaps, but that's the rub, isn't it? Time will tell. I would like to believe that the vast majority of MS exploits were crafted to take advantage of something nobody thought of, as opposed to leveraging something that someone thought of but handled poorly. In other words, you can try to account for all the things you know about, but it's the unknowns that get you. So MS can design Vista to be more secure, and it may actually be more secure in practice than anything else on the planet, but that doesn't mean it won't be owned tomorrow. Nobody should ever brag about security. Talk to Larry Ellison about that and his 'Unbreakable' Oracle campaign. |
| #9 By 23275 (24.179.4.158) at 6/5/2007 4:30:31 PM |
|
#8, Good Points - I hope we're both right and both wrong - at the same time.
I do assess that Windows Vista has a much better design and a great API - available to all devs [even FF/Moz] around securable objects - http://msdn2.microsoft.com/en-us/library/aa379557.aspx - so if used properly, the separations isolating user space will remain effective - beyond that barrier, UAC kicks in and beyond that, DEP [first SW then HW]. So a lot more has to happen to get code from one defined space to another and it becomes harder the deeper one progress toward the kernel - for which there is no access short of a very few driver components - upon which a tilt would be hit and the system would simply die - as it stop instantly. You are right, Microsoft should be careful about how it speaks to these matters and they are - they use words like, "Safer" or "More Secure" - they do not use absolutes and nor should we. Those that do know, really need to speak up - responsibly - and point out to users and devs, that there are new tools for them to keep people safer while using a computer online. So they only secure the portions of an app that faces the cloud - that is good enough for me, and I assess securable objects is a good way to help devs do that. Moz/FF can choose not to use them and they can buy Green Border [as they did], but my question would be, "Okay, is Green Border going to use securable objects and execute outside user space?" - it is a fair question for Windows app devs, I think. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 312 Last | Next |
The time now is
1:53:08 PM
ET.
Any comment problems? E-mail us |
