Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw.
The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.
"Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time," Microsoft said Thursday in its advisory. "But we are aggressively investigating the public report."
A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to "high" before running ActiveX controls.
The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.
Microsoft always issues daily warnings as to security flaws in its Windows operating systems or in its IE browsers and issues updates to them. so is there anything new in the discovery of IE security flaw hardly. No matter what Microsoft does the Hackers will find a way to breach the Security. It is because of the way the Internet Infrastructure is designed. It gives too much power to the people who own the Clients. Unless this power is taken awy there is nothing that can be done to stop the Hackers and the Pirates.
There is only one way to stop the Hackers and the Pirates. That way is to make the Browsing Server oriented. That is the server would no longer be required to send any documents and the files to the Clients and the clients be used only to send the commands to the servers.
When this is done even a cellphone could be used to send surfing commands to the Servers which will cause the sales of cellphones to rise exponentially. The Hackers and Pirates would go out of business.
Funny that these 12 year old kids can't get into my Linux install.
It is not the internet infrastructure. It is years of ignoring security at Microsoft that causes these problems. Don't say it is becuase they have the market share. That is a falsehood. The systems that hackers could cause the most damage in are the web servers and mission critical business systems. And no one with any sense trusts MS there.
Put the blame squarely where it belongs: the inept, lazy folks at Microsoft.
So instead the server is compromised? A sniffer is established and everyones server traffic is intercepted at the gateway? Thats not a very good solution.
What's new, or rather, newsworthy about this is the fact that Microsoft has ignored this advisory from the company. From the SEC Consult website:
The advisory (IE6 COM instantiation heap corruption) has been released following a mail from microsoft on June,29:
"We have completed our investigation and have determined that the Internet Explorer crash is not exploitable [http://...|http://...] With regards to your report, the product team did not find the heap to be corrupted and nothing from the HTML page made it into the register."
the timeline of this advisory was the following:
2005-06-17 advisory provided to vendor 2005-06-17 initial response 2005-06-29 investigation completed, vendor says bug is not exploitable 2005-06-29 advisory goes to full disclosure & bugtraq 2005-06-30 notification by vendor that the issue was now reproduced
It will be egg in the face for Microsoft if this issue is actually exploitable.
I quite appreciate your concern about privacy which is the formost thing i first consider before registering with your organisation, i thus appreciate and wish to contribute effectively towards your organisation
Looks like someone out there is taking advantage of the most recent security flaw in IE6. I received a fake patch today in my email where the subject line read: "Use this patch immediately!" It had an attachment along with, and was 14k in size. I know Microsoft never uses attachments, so I reported it to MS and Yahoo. Of course I did not open it.
Not only do M$ not send attachments - they do NOT send emails - chuck it in the bin & ignore it.
Personally, I'd put on the fire-retardant gloves & move it into my isolation booth with my collection of virii, trojans & other suspect packages. One day I'm going to start sending some of these to the spammers - if I can ever find them :-)
You Windowzers will one day wake up from your drunken stupor and realize that Billyboy is taking you for a long ride down a one way street. He is laughing at you inept users that continue to bend over and take the trash they spew from Redmond.
Why do you put up with this trash?!?!? I hope you enjoy the ride. Ignorance is bliss.
As opposed to being taken for a ride by Torvalds/De Raadt/whoever is heading up whichever flavor of Linux this week?
I'm not definding Microsoft by any stretch of the imagination, but any one Linux Distro on average suffers from roughly twice the amount of security flaws as Microsoft does. Read bugtraq or full-disclosure sometime and count how many there are.
Then of course, theres secondary applications, the most irritating of which is PHP and other web-boards, which keeps the majority of site defacers in business. The majority of these secondary applications that have holes found in them are Linux based.
Has Microsoft been irresponsible with their Security efforts? Absolutely, but so has Linux. Many tout OpenBSD as "Secure out of the Box", which is not only incorrect, but wildly irresponsible.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
There is only one way to stop the Hackers and the Pirates. That way is to make the Browsing Server oriented. That is the server would no longer be required to send any documents and the files to the Clients and the clients be used only to send the commands to the servers.
When this is done even a cellphone could be used to send surfing commands to the Servers which will cause the sales of cellphones to rise exponentially. The Hackers and Pirates would go out of business.
This approach is discussed in the blog at
<a class="jive-link-external" href="http://wirelessera.rediffblogs.com/" target="_newWindow">http://wirelessera.rediffblogs.com/</a>
It is not the internet infrastructure. It is years of ignoring security at Microsoft that causes these problems. Don't say it is becuase they have the market share. That is a falsehood. The systems that hackers could cause the most damage in are the web servers and mission critical business systems. And no one with any sense trusts MS there.
Put the blame squarely where it belongs: the inept, lazy folks at Microsoft.
What's new, or rather, newsworthy about this is the fact that Microsoft has ignored this advisory from the company. From the SEC Consult website:
The advisory (IE6 COM instantiation heap corruption) has been released following a mail from microsoft on June,29:
"We have completed our investigation and have determined that the Internet Explorer crash is not exploitable [http://...|http://...] With regards to your report, the product team did not find the heap to be corrupted and nothing from the HTML page made it into the register."
the timeline of this advisory was the following:
2005-06-17 advisory provided to vendor
2005-06-17 initial response
2005-06-29 investigation completed, vendor says bug is not exploitable
2005-06-29 advisory goes to full disclosure & bugtraq
2005-06-30 notification by vendor that the issue was now reproduced
It will be egg in the face for Microsoft if this issue is actually exploitable.
Looks like someone out there is taking advantage of the most recent security flaw in IE6. I received a fake patch today in my email where the subject line read: "Use this patch immediately!" It had an attachment along with, and was 14k in size. I know Microsoft never uses attachments, so I reported it to MS and Yahoo. Of course I did not open it.
Personally, I'd put on the fire-retardant gloves & move it into my isolation booth with my collection of virii, trojans & other suspect packages. One day I'm going to start sending some of these to the spammers - if I can ever find them :-)
and realize that Billyboy is taking you for a long ride down a one
way street. He is laughing at you inept users that continue to bend
over and take the trash they spew from Redmond.
Why do you put up with this trash?!?!? I hope you enjoy the ride.
Ignorance is bliss.
I'm not definding Microsoft by any stretch of the imagination, but any one Linux Distro on average suffers from roughly twice the amount of security flaws as Microsoft does. Read bugtraq or full-disclosure sometime and count how many there are.
Then of course, theres secondary applications, the most irritating of which is PHP and other web-boards, which keeps the majority of site defacers in business. The majority of these secondary applications that have holes found in them are Linux based.
Has Microsoft been irresponsible with their Security efforts? Absolutely, but so has Linux. Many tout OpenBSD as "Secure out of the Box", which is not only incorrect, but wildly irresponsible.