This is in case anyone missed the advisory.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

This is in case anyone missed the advisory.

Joseph Dalessandro-2
'Critical' flaws in Internet Explorer
By Bill Brenner, News Writer
09 Jun 2004 | SearchSecurity.com
               
Microsoft yesterday warned users of two "moderate" Windows flaws that
could be remotely exploited to launch a denial-of-service attack or wipe
out data. But its monthly fixes don't cover two more holes found in its
popular Web browser that could be used to compromise vulnerable machines.

IT security firm Secunia of Copenhagen, Denmark calls the vulnerabilities
in Internet Explorer "extremely critical" and recommends users disable
active scripting support for all but trusted Web sites.

"The safest thing the end user can do at this point is use an alternative
browser when visiting Web sites they don't trust," said Thomas
Kristensen, chief technology officer at Secunia. "These vulnerabilities
require urgent action, but we'll be lucky if we see an update for this
next month."

Secunia warned in its advisory ( http://secunia.com/advisories/11793 )
that a variant of the "Location:" local resource access vulnerability can
be exploited via a specially crafted URL in the "Location:" HTTP header
to open local files. Also, a cross-zone scripting error can be exploited
to execute files in the "Local Machine" security zone.

The security holes have been confirmed in a fully patched system with
Internet Explorer 6.0. For the vulnerabilities to be successfully
exploited, a user must be tricked into following a link or view a
malicious HTML document. The flaws are actively being exploited in the
wild to install adware on users' systems, Secunia said.

A Microsoft spokesman issued a statement last night, saying, "Microsoft
is investigating public reports of a malicious attack exploiting
vulnerabilities in Internet Explorer which can enable a malicious user to
execute code on a computer system. The company is monitoring the
situation closely (and) is committed to helping customers keep their
information safe."

The statement didn't say how long it will take to issue a fix.

Of the two security bulletins the software giant released yesterday,
MS04-016 (
http://www.microsoft.com/technet/security/bulletin/MS04-016.mspx )
focuses on a denial-of-service threat in the DirectPlay4 Application
Programming Interface (API) of Microsoft DirectPlay. DirectPlay is
shipped with Microsoft DirectX and allows video games and rich media such
as video and other 3-D animation to be played on Windows-based computers.
Patches for the affected software can be downloaded from the MS04-016
page.

MS04-017 (
http://www.microsoft.com/technet/security/bulletin/MS04-017.mspx )focuses
on a denial-of-service threat and potential for data loss in the Crystal
Reports program produced by San Jose, Calif., software maker Business
Objects and included in Outlook 2003 with Business Contact Manager,
Visual Studio .NET 2003 and Microsoft Business Solutions CRM 1.2. The
Outlook and Visual Studio patches can be downloaded from the MS04-017
page. The Business Solutions patch is available at the Business Objects
Web site
(http://support.businessobjects.com/fix/hot/critical/ms_critical_updates.asp
).

Security software maker Symantec of Cupertino, Calif., considers both
vulnerabilities a "moderate" risk and recommends users apply the patches
as soon as possible.

The latest advisories frustrate Chris Casey, a systems engineer and
founder of IT services provider Northern Shore Technical Services of
Salem, Mass. His gripe: The software giant is still issuing fixes for
problems that should have been solved before the products reached the
marketplace.

"These products aren't properly tested before release," Casey said. "The
Windows 2000 problems we keep seeing should have been buttoned up a long
time ago. I'm a firm believer in doing the job right the first time, but
that isn't the case here."

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------
Aegis Systems LLC
2442 Cerrillos Road, Suite 103
Santa Fe, New Mexico 87505
e: [hidden email]
v: 505-690-1924
f: 800-864-7993
----------------------
CONFIDENTIALITY NOTICE
This e-mail communication, and any embedded or attached files, or
previous email messages may contain information that is confidential or
legally private. If you are not the intended recipient, or a person
responsible for delivering this communication to the intended recipient,
you are hereby notified that you must not read this communication and
that any disclosure, copying, printing, saving, emailing, distribution or
use of any of the information contained in, or attached to, this
communication is strictly prohibited. If you have received this
communication in error, immediately notify the sender by telephone or
return email and delete the original communication and all attachments
without reading or saving.