'Critical' flaws in Internet Explorer
By Bill Brenner, News Writer 09 Jun 2004 | SearchSecurity.com Microsoft yesterday warned users of two "moderate" Windows flaws that could be remotely exploited to launch a denial-of-service attack or wipe out data. But its monthly fixes don't cover two more holes found in its popular Web browser that could be used to compromise vulnerable machines. IT security firm Secunia of Copenhagen, Denmark calls the vulnerabilities in Internet Explorer "extremely critical" and recommends users disable active scripting support for all but trusted Web sites. "The safest thing the end user can do at this point is use an alternative browser when visiting Web sites they don't trust," said Thomas Kristensen, chief technology officer at Secunia. "These vulnerabilities require urgent action, but we'll be lucky if we see an update for this next month." Secunia warned in its advisory ( http://secunia.com/advisories/11793 ) that a variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files. Also, a cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone. The security holes have been confirmed in a fully patched system with Internet Explorer 6.0. For the vulnerabilities to be successfully exploited, a user must be tricked into following a link or view a malicious HTML document. The flaws are actively being exploited in the wild to install adware on users' systems, Secunia said. A Microsoft spokesman issued a statement last night, saying, "Microsoft is investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer which can enable a malicious user to execute code on a computer system. The company is monitoring the situation closely (and) is committed to helping customers keep their information safe." The statement didn't say how long it will take to issue a fix. Of the two security bulletins the software giant released yesterday, MS04-016 ( http://www.microsoft.com/technet/security/bulletin/MS04-016.mspx ) focuses on a denial-of-service threat in the DirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. DirectPlay is shipped with Microsoft DirectX and allows video games and rich media such as video and other 3-D animation to be played on Windows-based computers. Patches for the affected software can be downloaded from the MS04-016 page. MS04-017 ( http://www.microsoft.com/technet/security/bulletin/MS04-017.mspx )focuses on a denial-of-service threat and potential for data loss in the Crystal Reports program produced by San Jose, Calif., software maker Business Objects and included in Outlook 2003 with Business Contact Manager, Visual Studio .NET 2003 and Microsoft Business Solutions CRM 1.2. The Outlook and Visual Studio patches can be downloaded from the MS04-017 page. The Business Solutions patch is available at the Business Objects Web site (http://support.businessobjects.com/fix/hot/critical/ms_critical_updates.asp ). Security software maker Symantec of Cupertino, Calif., considers both vulnerabilities a "moderate" risk and recommends users apply the patches as soon as possible. The latest advisories frustrate Chris Casey, a systems engineer and founder of IT services provider Northern Shore Technical Services of Salem, Mass. His gripe: The software giant is still issuing fixes for problems that should have been solved before the products reached the marketplace. "These products aren't properly tested before release," Casey said. "The Windows 2000 problems we keep seeing should have been buttoned up a long time ago. I'm a firm believer in doing the job right the first time, but that isn't the case here." ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------- Aegis Systems LLC 2442 Cerrillos Road, Suite 103 Santa Fe, New Mexico 87505 e: [hidden email] v: 505-690-1924 f: 800-864-7993 ---------------------- CONFIDENTIALITY NOTICE This e-mail communication, and any embedded or attached files, or previous email messages may contain information that is confidential or legally private. If you are not the intended recipient, or a person responsible for delivering this communication to the intended recipient, you are hereby notified that you must not read this communication and that any disclosure, copying, printing, saving, emailing, distribution or use of any of the information contained in, or attached to, this communication is strictly prohibited. If you have received this communication in error, immediately notify the sender by telephone or return email and delete the original communication and all attachments without reading or saving. |
Free forum by Nabble | Edit this page |