December 17, 2004 11:40 AM PST

Phishing hole discovered in IE

Microsoft is investigating reports of a new Internet Explorer flaw that puts people with the most secure version of Windows at risk of phishing attacks.

The software giant said Friday that it is looking into reports from security company Secunia and others that a vulnerability in IE6 enables scammers to launch a phishing attack against PCs loaded with the latest security updated version of Windows, Service Pack 2, and older versions of the operating system. Phishing attacks typically use such fake sites, which look like legitimate sites of companies such as banks, to try to con people into handing over personal information such as credit card numbers.

The Web browser flaw allows fraudsters to create a hard-to-spot spoofed Web site, according to an advisory from Secunia, even to the point of including a fake SSL signature padlock certificate. Phishers can also hijack cookies from any Web site, the company said.

"The problem is that users can't trust what they see in their browsers,? Thomas Kristensen, chief technology officer at Secunia, said. ?This can be used to trick users to perform actions on what they believe is a trusted Web site, but actually these actions are recorded and controlled by a malicious site.?

Despite the potential to create havoc for IE users, Secunia has rated the vulnerability as only "moderately critical," because it cannot be used to access computer networks.

For Microsoft, this vulnerability marks the latest setback in shoring up the security of its products. When the company launched SP2 in August, Chairman Bill Gates touted it as a significant step in shoring up systems against attacks.

A Microsoft representative said the company was ?aggressively? looking into the flaw, but stressed that it had not had reports of any attacks attempting to use the vulnerability. For now, Microsoft is encouraging customers follow its ?Protect your PC? guidelines for protecting their PCs by installing a firewall, getting software updates and loading antivirus software.

?Upon completion of the investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the representative said.

Adding to an ongoing debate over flaw notifications, the representative said Microsoft was concerned that the new report of the IE vulnerability was not disclosed to the software giant before it was made public.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," the representative said.

In its advisory, Secunia said an error in the Internet Explorer 6?s DHTML Edit ActiveX control causes the vulnerability when handling "execScript" functions in certain situations. This flaw can be exploited to execute arbitrary script code in the browser, it said. This would allow phishers to send out an e-mail with a link to a bogus Web site. The URL of the malicious Web site would briefly show, before sending the user off to the spoofed site.

"The problem is that certain input that is supplied to the ActiveX control isn't properly validated before it is returned to the browser," Kristensen said. "This can be exploited to place code that controls what is being displayed in the browser window, while the browser believes it is actually visiting a trusted Web site."

Secunia has posted an example of how the vulnerability works. It is advising users to disable ActiveX support, until a patch is available.

Dan Ilett of ZDNet UK contributed to this report.

14 comments

Join the conversation!
Add your comment
This comes at a bad time.
I recently got a SunTrust phishing email to an account that rarely ever gets spam. It seems that phishing scams have been on the rise lately. The fact that this vuln impacts the latest and greatest means it will probably be 2 1/2 years before 80% of desktops are patched against it. Especially considering that XP SP2 is pretty much the last major release before Longhorn.


And slightly off topic, I think Microsoft could reduce part of the security problem by fixing their licensing. If my moms PC runs XP home, I should be able to install a Retail or OEM version of XP home SP2 on her PC with her existing product license. (after all is the same hardware ID)

Instead I am forced to try to download patches over a slow dialup, or just borrow her PC so I can update it here.

I also believe Microsoft should give customers the ability to "deactivate" their copy of windows so that it can be used on another PC instead.

Microsoft is pretty slow to understand things though, so expect some of these features in 2015.
Posted by Dachi (797 comments )
Reply Link Flag
This comes at a bad time.
I recently got a SunTrust phishing email to an account that rarely ever gets spam. It seems that phishing scams have been on the rise lately. The fact that this vuln impacts the latest and greatest means it will probably be 2 1/2 years before 80% of desktops are patched against it. Especially considering that XP SP2 is pretty much the last major release before Longhorn.


And slightly off topic, I think Microsoft could reduce part of the security problem by fixing their licensing. If my moms PC runs XP home, I should be able to install a Retail or OEM version of XP home SP2 on her PC with her existing product license. (after all is the same hardware ID)

Instead I am forced to try to download patches over a slow dialup, or just borrow her PC so I can update it here.

I also believe Microsoft should give customers the ability to "deactivate" their copy of windows so that it can be used on another PC instead.

Microsoft is pretty slow to understand things though, so expect some of these features in 2015.
Posted by Dachi (797 comments )
Reply Link Flag
Firefox someone?
Guess Firefox or similar browsers will gain several users after this and other reports of IE bugs or what do you think?
Posted by OLIRC (4 comments )
Reply Link Flag
Firefox someone?
Guess Firefox or similar browsers will gain several users after this and other reports of IE bugs or what do you think?
Posted by OLIRC (4 comments )
Reply Link Flag
SP2 difficulties
Just a short comment.
The reason Microsoft doesen't hear about the SP2 problems from consumers is that it wants to charge for tech support. Even only filiing a complaint.
I've also noticed that Zone Alarm (the free version) and SP2 don't work together. I don't consider SP2's firewall to be very good and now I'm left feeling defenseless.
Thanks,
Ken
Posted by (2 comments )
Reply Link Flag
SP2 difficulties
Just a short comment.
The reason Microsoft doesen't hear about the SP2 problems from consumers is that it wants to charge for tech support. Even only filiing a complaint.
I've also noticed that Zone Alarm (the free version) and SP2 don't work together. I don't consider SP2's firewall to be very good and now I'm left feeling defenseless.
Thanks,
Ken
Posted by (2 comments )
Reply Link Flag
There is an answer.......
The answer to this IS NOT to use Firefox....

There is a posted comment in previous CNET records where I did comment about SP2 when it first came on the scene. I said that there would be more problems and that SP2 is not the be-all and end-all.

The problem is the use of Windows XP. XP now comes with SP2 when you buy it. There is a problem here and it is with Windows XP. Security is ONLY a state of mind. You can spend all your money and all your time in the effort to create the most secure system, but in the end....security is nothing more than a state of mind. Windows XP will take full control of your computer. Microsoft may own the rights to XP but they DO NOT own my computer. My computer belongs to me. I alone will take full responsibility for my computer, but I cannot do that if I allow someone like microsoft to take control. I will never run Windows XP, if for no other reason than the flaky nature of SP2.

Some may want to use a Mac, others may wish to run Linux. I am not going to argue that point. I will however say that using Windows XP with SP2 is just about the worst thing you can do. I questioned XP when it first came out and I have yet to come across ANYTHING that is good enough to change my negative view of it.

Windows ME was truly flaky, and nothing older than Windows 98se is worth even thinking about.

The point.....
If you must use windows, use something older than XP. DO NOT USE XP.

and.....
If you must use Internet Explorer, DO NOT USE 6.0

The newest thing is not the best thing, it's just the newest thing.
Posted by Prndll (382 comments )
Reply Link Flag
"Security is ONLY a state of mind."
You said: "Security is ONLY a state of mind."

LOL, that's a good one. Do you not lock your front door, use a seatbelt, open your eyes while driving, tie your shues, ... ? Of course you do (i hope)!

The point is that, yes, we are responsible for our own security, and if we do dumb things (e.g., download & run files of questionable origing), then we are to blame. But part of being responsible is also choosing the best available tools.

An important part of resposibly tending to ones security is to stop using the insecure browser called Internet Explorer. It seems that almost all security exploits are due to Microsoft's use of "Active-X" and its tying the browser (IE) into the operating system (Windows).

The BEST thing anyone can do in this regard is to use a more secure browser. My recommendation is:

Mozilla Firefox

<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>
.
Posted by Peter Reaper (11 comments )
Link Flag
There is an answer.......
The answer to this IS NOT to use Firefox....

There is a posted comment in previous CNET records where I did comment about SP2 when it first came on the scene. I said that there would be more problems and that SP2 is not the be-all and end-all.

The problem is the use of Windows XP. XP now comes with SP2 when you buy it. There is a problem here and it is with Windows XP. Security is ONLY a state of mind. You can spend all your money and all your time in the effort to create the most secure system, but in the end....security is nothing more than a state of mind. Windows XP will take full control of your computer. Microsoft may own the rights to XP but they DO NOT own my computer. My computer belongs to me. I alone will take full responsibility for my computer, but I cannot do that if I allow someone like microsoft to take control. I will never run Windows XP, if for no other reason than the flaky nature of SP2.

Some may want to use a Mac, others may wish to run Linux. I am not going to argue that point. I will however say that using Windows XP with SP2 is just about the worst thing you can do. I questioned XP when it first came out and I have yet to come across ANYTHING that is good enough to change my negative view of it.

Windows ME was truly flaky, and nothing older than Windows 98se is worth even thinking about.

The point.....
If you must use windows, use something older than XP. DO NOT USE XP.

and.....
If you must use Internet Explorer, DO NOT USE 6.0

The newest thing is not the best thing, it's just the newest thing.
Posted by Prndll (382 comments )
Reply Link Flag
"Security is ONLY a state of mind."
You said: "Security is ONLY a state of mind."

LOL, that's a good one. Do you not lock your front door, use a seatbelt, open your eyes while driving, tie your shues, ... ? Of course you do (i hope)!

The point is that, yes, we are responsible for our own security, and if we do dumb things (e.g., download &#38; run files of questionable origing), then we are to blame. But part of being responsible is also choosing the best available tools.

An important part of resposibly tending to ones security is to stop using the insecure browser called Internet Explorer. It seems that almost all security exploits are due to Microsoft's use of "Active-X" and its tying the browser (IE) into the operating system (Windows).

The BEST thing anyone can do in this regard is to use a more secure browser. My recommendation is:

Mozilla Firefox

<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>
.
Posted by Peter Reaper (11 comments )
Link Flag
Too Bad Article Didn't Mention a More Secure Alternative: FIREFOX
In an article that documents yet another serious security hole in Microsoft's Internet Explorer, C|Net is doing a DISSERVICE TO ITS READERS by not at least mentioning that there exists a FAR MORE SECURE ALTERNATIVE:

Mozilla Firefox
<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>

Mozilla not only patches their (few) vulnerabilities, it does is MUCH faster than MS.

To add insult to injury, IE has many MORE vulnerabilities than Mozilla.

IE: 69 Secunia Advisories (several highly critical)
<a class="jive-link-external" href="http://secunia.com/product/11/" target="_newWindow">http://secunia.com/product/11/</a>

Firefox: 0 Secunia Advisories (none highly critical)
<a class="jive-link-external" href="http://secunia.com/product/4227/" target="_newWindow">http://secunia.com/product/4227/</a>

US Department of Homeland Security recommends: "Use a different web browser"
<a class="jive-link-external" href="http://www.kb.cert.org/vuls/id/713878" target="_newWindow">http://www.kb.cert.org/vuls/id/713878</a>

Better "Security Architecture":
<a class="jive-link-external" href="http://www.mozilla.org/security/security-announcement.html" target="_newWindow">http://www.mozilla.org/security/security-announcement.html</a>

This speaks a pretty clear language. Firefox is only a 4.5 MB download, it's free, it's better, and it's more secure. Sounds like a no-brainer to me. Here's the link:

Mozilla Firefox
<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>
.
Posted by Peter Reaper (11 comments )
Reply Link Flag
Too Bad Article Didn't Mention a More Secure Alternative: FIREFOX
In an article that documents yet another serious security hole in Microsoft's Internet Explorer, C|Net is doing a DISSERVICE TO ITS READERS by not at least mentioning that there exists a FAR MORE SECURE ALTERNATIVE:

Mozilla Firefox
<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>

Mozilla not only patches their (few) vulnerabilities, it does is MUCH faster than MS.

To add insult to injury, IE has many MORE vulnerabilities than Mozilla.

IE: 69 Secunia Advisories (several highly critical)
<a class="jive-link-external" href="http://secunia.com/product/11/" target="_newWindow">http://secunia.com/product/11/</a>

Firefox: 0 Secunia Advisories (none highly critical)
<a class="jive-link-external" href="http://secunia.com/product/4227/" target="_newWindow">http://secunia.com/product/4227/</a>

US Department of Homeland Security recommends: "Use a different web browser"
<a class="jive-link-external" href="http://www.kb.cert.org/vuls/id/713878" target="_newWindow">http://www.kb.cert.org/vuls/id/713878</a>

Better "Security Architecture":
<a class="jive-link-external" href="http://www.mozilla.org/security/security-announcement.html" target="_newWindow">http://www.mozilla.org/security/security-announcement.html</a>

This speaks a pretty clear language. Firefox is only a 4.5 MB download, it's free, it's better, and it's more secure. Sounds like a no-brainer to me. Here's the link:

Mozilla Firefox
<a class="jive-link-external" href="http://www.GetFirefox.com" target="_newWindow">http://www.GetFirefox.com</a>
.
Posted by Peter Reaper (11 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.