October 22, 2002 1:21 PM PDT
IE holes open up Web booby traps
GreyMagic Software said Tuesday that the vulnerabilities--eight of which it deemed critical--could be exploited using a specially coded Web page that would run malicious programs on a victim's computer if the victim visited the page.
"Using these flaws in combination with other known flaws that can silently deliver files to the user's disk could result in full compromise of the client's computer," said Lee Dagon, head of research and development for GreyMagic.
In addition to letting Net vandals steal private local documents, the flaws could let malicious hackers copy clipboard information, execute arbitrary programs and fool IE users by forging trusted Web sites, the company said in its advisory.
GreyMagic said Internet Explorer 5.5 and 6 are affected by the flaws but that the latest service packs to each of these versions of IE plug the holes.
The bugs appear in how Internet Explorer caches Web objects. GreyMagic found the flaws after researching three different aspects of the Internet Explorer object model earlier this month, Dagon said.
"In each session we found more vulnerabilities," he said.
Seven of the flaws can grant an attacker full access to the victim's PC, while another makes the currently loaded document readable and the last lets an attacker read and write to the clipboard.
"The attacker would need to know the name and exact path to (a) file," added Dagon, pointing out that the vulnerabilities don't let a vandal browse a victim's machine for files. "However, Windows has several sensitive files in relatively static locations, these could be grabbed and used against the victim." For example, the Windows password file is in the same location on every Windows computer and could be copied using the flaws.
Upgrading Internet Explorer 5.5 to Service Pack 2 plugs the security holes, the company said. Patching Internet Explorer 6 with Service Pack 1 will fix the problems in that version of the program as well. The latest updates for both versions of IE can be found through Microsoft's Windows Update page.
GreyMagic Software released the news of the flaws at the same time it gave the information to Microsoft, saying that in the past "notifying Microsoft ahead of time and waiting for them to patch the reported issues proved...nonproductive."
Because Microsoft only received news of the holes on Tuesday, the software giant couldn't confirm the existence of the vulnerabilities. Testing the demo code provided by GreyMagic Software, however, showed that the flaws apparently were real.
The Israeli Web company's refusal to notify Microsoft first, however, earned it the software giant's ire.
"We are concerned by the way this report has been handled," a Microsoft representative said in a statement e-mailed to CNET News.com. "Publishing this report may put computer users at risk--or at the very least could cause needless confusion and apprehension."
For more than a year, Microsoft has been fighting to rein in the public disclosure of flaws, issuing criticism of what it deems to be irresponsible reporting and sponsoring the formation of a group to set standards for disclosing vulnerabilities.
In the past, software makers haven't been very responsive to security issues, but that's changing. Most researchers still believe that releasing information about flaws is the best way to warn the public. However, the same researchers increasingly believe that giving the software's creator a fair amount of time to create a patch is the most responsible way to handle such incidents.
Interpretations of what's fair, however, can vary--from a few days to a few months.
According to Dagon, previous advisories that the company brought to the software titan's attention took anywhere from 3 months to more than 6 months to fix. Since then, he said, GreyMagic has lost patience.
"Microsoft takes quite a while to plug even the simplest security issue, leaving users exposed to risks for months at a time instead of letting them know about temporary workarounds," Dagon said.
But Microsoft isn't the only one to voice concern about reports such as GreyMagic's. The open-source community was not happy when security company Internet Security Systems dropped a bomb by posting an advisory about a major flaw in the Apache Web server just hours after it had notified the development group.