Internet Explorer holes causing alarm

Free Newsletters

Log-in | Register

Internet Explorer holes causing alarm Latest patches are no remedy
By Paul Roberts, IDG News Service June 11, 2004			E-mail Printer Friendly Reprints Slashdot It!

BOSTON - Four new holes have been discovered in the Internet Explorer (IE) Web browser that could allow malicious hackers to run attack code on Windows systems, even if those systems have installed the latest software patches from the Redmond, Washington company, security experts warn.

Free IT resource

Open Source Business Conference (OSBC) May 22-23, 2007

Sponsored by Dell

Some of the new flaws are already being used to attack Windows users and include a glitch that allows attackers to fake or "spoof" the address of a Web page, as well as vulnerabilities that enable malicious pages from the Internet to be handled by IE with very little scrutiny or security precautions.

A Microsoft spokeswoman acknowledged the reports and said the company is looking into the attacks and is considering what steps to take, including the release of an emergency security patch to address the problems.

Word of the four new vulnerabilities surfaced in security discussion news groups in recent weeks. Two of the vulnerabilities, first disclosed by someone using the name Rafel Igvi and posted to the NTBugtraq discussion list, allows attackers to load content from malicious Web pages while displaying the Web address of legitimate sites in the Internet Explorer's address bar. Attackers could trick users into clicking on the bogus Web links using e-mail messages or by linking from other Web pages.

The vulnerability is very similar to another hole that was uncovered in December 2003 that allowed attackers to hide the real location of a Web page by including the characters %01 before the @ symbol in a URL. The new vulnerability allows attackers to hide the actual address of the Web page that is being loaded by prefacing the address with the characters ::/ with some IE URLs, according to security company Secunia.

"Conceptually, it's very similar to the %01 problem, and (the flaw) is in a related part of the Internet Explorer code," said Thor Larholm, senior security researcher at PivX Solutions LLC.

Another unpatched hole, called a "cross zone scripting" vulnerability allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, Secunia said.

When combined, the address spoofing and cross zone scripting holes can create a potent and stealthy attack, with attackers using the spoofing hole to trick IE into thinking it is on a safe Web site, even as it loads malicious content from another part of the Internet, Larholm said.

"The address spoofing makes sure (the attacker) can load content from his site, and the cross zone scripting hole makes sure he can do it in (a trusted) security zone," he said.

On Thursday, two more unpatched Internet Explorer holes also surfaced that are slight variations on the same themes. One is a spoofing vulnerability that works on IE, as well as the Mozilla and Safari browsers and allows attackers to fake the address displayed in the address bar. The other is a cross zone scripting hole that lets users load insecure Web pages as if they were trusted Web pages, Larholm said.

All the new holes are variations of flaws discovered in the last two years, and play on known weaknesses in Internet Explorer's design, said Larholm.

In particular, Microsoft's implementation of "security zones" into which Web pages can be grouped is deeply flawed, as is code in IE for assessing what level of security to apply to a particular Web page URL. Fixing such problems will demand a wholesale reengineering of the often-used Web browser, something Microsoft plans to do in the next major release of Windows, code named "Longhorn," Larholm said.

In the meantime, Microsoft and others recommend following so-called "safe browsing" practices. Microsoft has a list of such practices on its Web page. (See: http://www.microsoft.com/security/incident/settings.asp.) Companies should consider increasing security in the Local Machine (or MyComputer) zone. Steps for doing so are also available on the Microsoft Web page. (See: http://support.microsoft.com/default.aspx?scid=kb;en-us;833633.)

PivX also offers Windows users a free tool, Qwik-Fix, that locks down Windows and prevents many common exploits, Larholm said. (See: http://www.pivx.com/qwikfix/.)

Microsoft will work with law enforcement to prosecute individuals who use exploit code to damage computers, the spokeswoman said.

E-mail

Printer Friendly

Reprints

Slashdot It!

TOP NEWS:

» Troubleshooting tool for Java offered
Sun's Java VisualVM open-source technology views apps while they run on a JVM and is billed as all-in-one solution

» Python backing eyed for NetBeans
Scripting language capabilities of the open-source IDE continue to expand

» Microsoft sets Windows XP SP3 automatic download for Thursday
The latest service pack for Windows XP will be pushed to Automatic Update at 7a.m. EDT on July 10

» Real Software, Veryant bolster dev tools
RealBasic, Cobol apps platforms get improvements

» Microsoft sets hosted-services pricing, irks partners
By offering 38 percent discount to customers who buy entire hosted business productivity suite, Microsoft undercuts partners selling similar services

» Adobe readying new mashup tool for business users
Mashup interface code-named 'Genesis' will open up desktop 'workspace' combining business application data, documents, analytics, and instant messaging

Develop an integrated management and security strategy
Watch this Webcast and discover a scalable mobile software platform that combines mobile device management, enterprise-to-edge security, email/messaging, and back-office application extension capabilities, to empower employees to do their work anywhere, anytime, on any device. Sponsor: Sybase iAnywhere

» Click here to view this Webcast

The Silver Lining: Cloud Computing
This IT Strategy Guide digs deep into cloud computing helping put you ahead of the curve on this hot topic. It explores the differences between cloud computing, grid computing and utility computing and then helps you see where and how each applies to your business. Sponsored by Box.net

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Disaster Recovery in Minutes - This paper describes a complete disk-based system recovery solution for Microsoft Windows based servers, desktops, and laptops...
Protecting Microsoft(R) Applications - Microsoft Exchange, SQL, Active Directory, and SharePoint have quickly risen to mission-critical status in many companies...
Reduce Recovery Times and Tape Costs - Today's enterprises face a data protection challenge: how to optimize the backup and recovery of business-critical data ...
Secure, recover, and archive critical information - Today's businesses must keep their infrastructures up and running 24x7. That means that the physical systems, the operating...
Consolidating Workloads onto Mainframes - The flexibility, efficiency, and reduced cost of ownership virtualization provides makes it extremely compelling to large...
Transformational Analytics: Virtualizing IT Environments - The overwhelming complexity of the modern data center compounds the problem of how to safely virtualize IT environments....

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment.		AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist