- Related Stories
-
Keeping pace in the browser business
June 10, 2005 -
Firefox continues gains against IE
January 21, 2005 -
IE flaw threat hits the roof
January 7, 2005
The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.
"Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time," Microsoft said Thursday in its advisory. "But we are aggressively investigating the public report."
A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to "high" before running ActiveX controls.
The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.
The discovery of this latest IE flaw comes two weeks after Microsoft released several "critical" security patches, including one for IE.Those patches addressed vulnerabilities that allowed for remote execution of code.
See more CNET content tagged:
flaw, vulnerability, research company, Microsoft Internet Explorer, security
There is only one way to stop the Hackers and the Pirates. That way is to make the Browsing Server oriented. That is the server would no longer be required to send any documents and the files to the Clients and the clients be used only to send the commands to the servers.
When this is done even a cellphone could be used to send surfing commands to the Servers which will cause the sales of cellphones to rise exponentially. The Hackers and Pirates would go out of business.
This approach is discussed in the blog at
http://wirelessera.rediffblogs.com/
It is not the internet infrastructure. It is years of ignoring security at Microsoft that causes these problems. Don't say it is becuase they have the market share. That is a falsehood. The systems that hackers could cause the most damage in are the web servers and mission critical business systems. And no one with any sense trusts MS there.
Put the blame squarely where it belongs: the inept, lazy folks at Microsoft.
What's new, or rather, newsworthy about this is the fact that Microsoft has ignored this advisory from the company. From the SEC Consult website:
The advisory (IE6 COM instantiation heap corruption) has been released following a mail from microsoft on June,29:
"We have completed our investigation and have determined that the Internet Explorer crash is not exploitable [http://...|http://...] With regards to your report, the product team did not find the heap to be corrupted and nothing from the HTML page made it into the register."
the timeline of this advisory was the following:
2005-06-17 advisory provided to vendor
2005-06-17 initial response
2005-06-29 investigation completed, vendor says bug is not exploitable
2005-06-29 advisory goes to full disclosure & bugtraq
2005-06-30 notification by vendor that the issue was now reproduced
It will be egg in the face for Microsoft if this issue is actually exploitable.
Looks like someone out there is taking advantage of the most recent security flaw in IE6. I received a fake patch today in my email where the subject line read: "Use this patch immediately!" It had an attachment along with, and was 14k in size. I know Microsoft never uses attachments, so I reported it to MS and Yahoo. Of course I did not open it.
Personally, I'd put on the fire-retardant gloves & move it into my isolation booth with my collection of virii, trojans & other suspect packages. One day I'm going to start sending some of these to the spammers - if I can ever find them :-)
- Windowzers continue to be taken for a ride!
- by July 1, 2005 9:46 PM PDT
- You Windowzers will one day wake up from your drunken stupor
- Reply to this comment
-
-
- haha
- by Scott W July 2, 2005 9:45 AM PDT
- lol, i love the bend over and take it line. hahaha!!!
-
-
- ...
- by the.wake July 2, 2005 12:16 PM PDT
- And insulting them is somehow supposed to convince them to switch?
- View reply
Processing -
- Windowzers continue to be taken for a ride!
- by July 6, 2005 7:42 AM PDT
- As opposed to being taken for a ride by Torvalds/De Raadt/whoever is heading up whichever flavor of Linux this week?
- View reply
Processing -
(17 Comments)and realize that Billyboy is taking you for a long ride down a one
way street. He is laughing at you inept users that continue to bend
over and take the trash they spew from Redmond.
Why do you put up with this trash?!?!? I hope you enjoy the ride.
Ignorance is bliss.
I'm not definding Microsoft by any stretch of the imagination, but any one Linux Distro on average suffers from roughly twice the amount of security flaws as Microsoft does. Read bugtraq or full-disclosure sometime and count how many there are.
Then of course, theres secondary applications, the most irritating of which is PHP and other web-boards, which keeps the majority of site defacers in business. The majority of these secondary applications that have holes found in them are Linux based.
Has Microsoft been irresponsible with their Security efforts? Absolutely, but so has Linux. Many tout OpenBSD as "Secure out of the Box", which is not only incorrect, but wildly irresponsible.