| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Security flaw reported in Internet Explorer; Microsoft investigating | |
|
||
| Time: 09:19 EST/14:19 GMT | News Source: Associated Press | Posted By: Byron Hinson | ||
|
A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says. Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem, the Toronto Star reported Tuesday. A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 148 Last | Next |
The time now is
10:36:50 PM
ET.
Any comment problems? E-mail us |
| #1 By 2459 (66.25.124.8) at 6/5/2002 12:36:06 PM |
| Their position was never to simply supress security flaws. It was to not disclose the flaws until they could ready a fix. If the flaw exists, they do have to verify the platforms and conditions where the flaw occurs, fix the flaw on the most current release, then backport to previous platforms that are affected. They also have to perform regression tests to see if the fix works and causes no further problems. It isn't like this is the only issue they are working on, or that there aren't higher priority issues that take precedence over this one. The security firms don't do anything but endanger end users and attract press for themselves when they do this. It helps no one. |
| #2 By 20 (24.243.51.87) at 6/5/2002 3:59:22 PM |
|
Cool future headline: "U.S. Citizens under attack by Iraqi Gophers"
Begun this gopher war has. |
| #3 By 2332 (165.247.5.113) at 6/5/2002 4:31:46 PM |
|
Sigh... add this to the SEVENTEEN existing vulnerabilities:
http://www.jscript.dk/unpatched/ |
| #4 By 3339 (65.198.47.10) at 6/5/2002 5:31:40 PM |
|
Boy, #13, that's great--if only that product was on the market. What kind of point are you making? This post was edited by sodajerk on Wednesday, June 05, 2002 at 20:42. |
| #5 By 1896 (208.61.159.50) at 6/5/2002 5:45:27 PM |
| Breaking his NDA? |
| #6 By 2459 (66.25.124.8) at 6/5/2002 8:15:18 PM |
| Or that the issue is fixed and MS is porting the fix downlevel to older OSes. |
| #7 By 6253 (12.237.192.187) at 6/5/2002 10:49:56 PM |
|
Realist, the breach does not occur merely from linking to a gopher address. You must also be able to trigger the buffer overflow and trigger it in such a way as to execute the desired machine code instructions. People with moderate web skills can certainly create the anchor tag for a gopher link, but can they encode the necessary href url? Can they even write and assemble the concise machine code? Few C++ programmer have even the skill to write x86 assembler, and the overhead added by compiling and linking high-level C/C++ makes it impractical to use the result in a buffer overflow exploit. Even if you get that far, there are often byte alignment and address fixup issues with the machine code (since you're loading it via buffer overflow rather than an OS loader). Then, once you get that far, you're still running in the user's security context on NT/2K/XP, which doesn't necessarily let you take "complete control" of the computer. Certainly many users tend to run with Administrator rights (indeed, all of them on Win9X), but let's not get overly dramatic about how big the real-world risks really are. Six years ago, doomsayers predicted an abundance of rogue websites with dangerous ActiveX controls. Except for a few "Microsoft hate" sites which posted an example written by one person which shut down the machine, surfing with ActiveX enabled has proven less risky than sharing mp3 files.
|
| #8 By 6253 (12.237.192.187) at 6/6/2002 12:43:54 AM |
|
Realist, I don't have a lighthearted view on security. The old RDS and Unicode holes, for instance, were devastating for servers and I will happily admit it. But you look at the actual advisory from Oy Online, it claims that the hole is "trivially exploited." The advisory then goes on to say that it is withholding its exploit example. That's illogical; if the exploit is truly trivial, then there is no purpose in withholding it because everyone with (in your words) "moderate web skills" could reproduce it. So where is YOUR exploit of this hole? I'm sure an exploit will roll out within a couple of weeks, and thousands of people who were unable to write it themselves will happily point to the link as "proof" of something they "might have" written themselves.
Weeks of hard coding by hackers around the world, following a tip-off, isn't my idea of "trivial." Once it gets in the hands of script kiddies, running the exploit will be trivial, but of course running ANYTHING is trivial once it has been conveniently packaged up for script kiddies by the rare coders who can actually create it. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 148 Last | Next |
The time now is
10:36:50 PM
ET.
Any comment problems? E-mail us |
