[ISN] Microsoft plugs six browser holes

From: InfoSec News (isnat_private)
Date: Tue Feb 12 2002 - 01:01:23 PST

  • Next message: InfoSec News: "Re: [ISN] Analysts: Security's where the money is"

    http://news.com.com/2100-1001-834826.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    February 11, 2002, 5:20 PM PT
    
    Microsoft released a collection of software fixes Monday to plug six
    security problems in its Internet Explorer browser, including one that
    could be exploited to take over a victim's computer.
    
    The advisory deemed as critical a vulnerability in the way Microsoft's
    browser opens external documents, but about which the software giant
    would say little for the past two months.
    
    "We have said that the issue is under investigation," said a
    representative for the software giant.
    
    The software flaw took Microsoft by surprise when a 31-year-old
    Austin, Texas-based security researcher using the handle "ThePull"  
    posted details of the problem to a security mailing list.
    
    The collection of software fixes, known as a cumulative patch, also
    fixes two flaws in the way Internet Explorer handles HTML, opens
    files, and executes certain scripts.
    
    The release comes 48 hours after two security researchers pointed out
    that the security hole found in December can be combined with last
    week's minor privacy flaw in MSN Messenger to hijack MSN accounts.
    
    "The flaw allows a malicious programmer, Web site or e-mail to
    impersonate you completely," said Thor Larholm, an Internet programmer
    for Danish portal Jubii and one of two researchers who found the
    problem. "You can, in essence, use this to remote-control a victim."
    
    Users are urged to download the latest patch.
    
    Larholm, along with British Web developer Tom Gilder, outlined the
    security slip-ups on their Web site, including the fact that Microsoft
    posted a set of fixes for the problem last Thursday, but took it down
    not two hours later.
    
    A Microsoft representative said that an error in the way the patch was
    distributed caused the company to pull it down and conduct further
    testing. Any Windows user who had already downloaded the patch during
    the two-hour window is fine, the representative said.
    
    Both security experts said they were disturbed by Microsoft's slow
    response, especially with respect to the December security problem
    found by ThePull.
    
    "Even when Microsoft patches the current round of security holes, it's
    only a matter of time before someone comes up with another one," said
    Gilder. "Domain-security related holes are reasonably frequent, and
    when the next one pops up MSN will be wide-open again."
    
    Finding this one wasn't that difficult, Larholm said. "We sat down for
    10 minutes and came up with this."
    
    Microsoft has embarked on an initiative to eliminate such
    vulnerabilities from its software and services. Recently, in a memo to
    every employee, Chairman Bill Gates stressed that the software titan
    needs to put security over features.
    
    Gilder said the jury's still out on whether Microsoft is doing just
    that.
    
    "Microsoft has said a lot of wise words recently, but I've not yet
    seen many of these actually being put into practice," Gilder said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:46:03 PST