Two years after patch, another IE FTP flaw

Attack viable, but stars have to be aligned just right, security vendor says

By Robert McMillan, IDG News Service
March 12, 2008

Talkback

E-mail

Printer Friendly

Reprints

A flaw in the way Microsoft's Internet Explorer browser processes FTP commands could let attackers steal or erase data from a victim's FTP site.

The bug, which affects users of IE 6 and the unsupported IE 5 browser, gives an attacker a way of hijacking the victim's FTP sessions. But a successful attack would be very hard to pull off and would only work in very precise, targeted attacks, security experts said.

The attacker would need to know the victim's username on the FTP server and the victim would have to already be logged into the server, using IE. Under those conditions, the victim could be sent a malicious FTP link that would then execute commands on the victim's FTP server.

This link could be sent to the browser via an invisible iFrame component, hidden on a malicious Web site, so the victim might not even know the attack was taking place.

"It's something that people could use to steal data, but you'd have to know your target," said Derek Abdine, the principal software engineer with security vendor Rapid7, who disclosed the issue Monday in a security advisory.

"The attack seems viable, but the stars have to be aligned just right for the attack to work," said Craig Schmugar, a researcher with McAfee's Avert Labs, in an e-mail. "An administrator would need to be authenticated already or the server would need to be configured with weak credentials."

Rapid7 notified Microsoft of the issue on Jan. 22 and decided to publish proof-of-concept code that illustrated the flaw after Microsoft had not patched the issue a month later.

The flaw is "almost exactly the same" as another IE FTP flaw that Microsoft patched in August 2006, Abdine said. Microsoft fixed that bug with its MS06-042 patch, issued in August 2006.

The MS06-042 update fixed many IE vulnerabilities, but it ended up embarrassing Microsoft. That's because the security patch had a flaw of its own, a critical security vulnerability that sent Microsoft's security team scrambling to re-issue the update.

The FTP problem does not affect IE 7, Microsoft said Tuesday. The software vendor has not heard of any attacks that take advantage of this vulnerability and has determined that any successful attack would only lead to the unauthorized disclosure of data, the company said in a statement.

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

Vista 'inevitable' for enterprises, says Forrester analyst

Steve Ballmer can't hear your 'Save XP' pleas

Stupid hacker tricks, part two: The folly of youth

Product review: Apple's little big iron

>> Talkback: Have your say

BRINGING PERFORMANCE VALIDATION "INTO THE LIFECYCLE"
Today's enterprise apps are complex and ever-changing, which makes delivering high performance difficult. By virtualizing the behavior of application services and data in a VSE, teams can answer this challenge with validation best practices and test tools to ensure solid performance throughout the lifecycle. Register now to attend this webcast! Sponsor: ITKO

» Click here to view this Webcast

Storage is big, and getting bigger
The only certainty is that your requirement for storage will never be satisfied. While you clean out space and authorize POs, you might consider another alternative: outsourcing. The best way to deal with storage might be to let someone else deal with it. Sponsored by SGI

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Protect Your Data with SSL - Discover how to increase customer confidence in your site with the latest solution in SSL, Extended Validation (EV) SSL ...
Need simple, low cost server virtualization? - Do more with less. Support fewer servers. Simplify disaster recovery. Implement proven, easy-to-use server virtualization...
Virtually Limitless Virtual Storage - Do you need virtualization space savings of 50% or more with virtually no performance impact? You might be able to get storage...
Invisible IT? - The goal of IT is to become an invisible entity within a larger organization. Eliminating visibility and road blocks IT ...
It Really Is Easy to be Green - "Green IT" is a popular concept. And IT organizations are learning the influence that IT purchase decisions have on data...
Key Strategies For SOA Testing - SOA requires a unique approach to testing. Unless you're willing to reorient your testing procedures and technology now,...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

Two years after patch, another IE FTP flaw

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
HP - HP LaserJet M3035 MFP series Starting at $1,599. ?? SHOP NOW Collabnet - Virtual Test Lab Automation: Manage development infrastructure HP - StorageWorks All-in-One Storage Systems. hp.com/betterstorage HP - Improve Resource Utilization and Lower Operating Costs Ipswitch - WhatsUp Gold V12 - network management & monitoring for any size network. HP - Webcast: 5 Things You Need to Know About Storage Virtualization Rackspace - Fanatical Support Promise: Live Support 24x7x365 Xerox - Typhoon 8860: Enter to win a Xerox PhaserTM 8860 network color printer! BEA - Webcast: Dialing up Agility with Business Transformation Verisign - Protect Your Data with SSL HP - Speed, agility, flexibility - The HP BladeSystem c-Class. InterSystems - Development, integration, BPM, and BAM together in Ensemble Citrix - Need simple, low cost server virtualization? AMD - We're putting more and more of our energy into saving IT Xerox - Enter to win a Xerox Phaser(TM) 6180 network color printer! Mindreef - Key Strategies For SOA Testing Citrix - Go green.Virtualize servers with Citrix XenServer(TM) - FREE Citrix - Instant server virtualization. Citrix XenServer(TM) - Free! HP - Virtualization: A Step by Step Approach to Success		Neterion - The Missing Piece of Virtualization Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Seagate - Maxtor OneTouch(tm) 4 Mini backs up your PC on the go Box.net - Upgrade Your Classic Collaboration Tools Overland Security - The Data Protection You've Been Looking For Lefthand Networks - Free White Paper on Matching Server & Storage Virtualization Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Tripwire - Secure your virtual and physical environments with the same software. Crosscheck Networks - Accelerate Your SOA Projects Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM Microsoft - Microsoft Forefront security products for business. Learn more. Oracle - Fueling the Responsive Enterprise Microsoft - Meet Windows Server 2008. The server unleashed. Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Microsoft - {Open Source} Heroes Happen Here Xerox - Enter to win a Xerox Phaser(TM) 6360 network color printer! Vizioncore - Vizioncore has solutions for virtually any virtual need.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS IT EXEC-CONNECT	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist