[ISN] Security Flaw Found in Explorer

From: InfoSec News (isnat_private)
Date: Wed Jun 05 2002 - 01:20:14 PDT

  • Next message: InfoSec News: "[ISN] Evolving viruses threat to many platforms"

    http://www.lasvegassun.com/sunbin/stories/tech/2002/jun/04/060408242.html
    
    June 04, 2002 
    
    REDMOND, Wash. - A security flaw in Microsoft's Internet Explorer
    browser could allow a hacker to take control of a remote computer if
    its user clicks a link to an outdated Internet protocol, a computer
    security firm says.
    
    Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp.  
    of the security hole on May 20 but the software giant has yet to
    produce a software patch to fix the problem, the Toronto Star reported
    Tuesday.
    
    A Microsoft spokesman who refused to be identified said Tuesday that
    the company is "moving forward on the investigation with all due
    speed" and will take the action that best serves its customers.
    
    The problem concerns Gopher, an Internet protocol that predates the
    World Wide Web with pages like Web pages except that they are unable
    to store audio and video content.
    
    Although Gopher is considered an outdated format for Internet content,
    it is still supported by Internet Explorer and most other browsers.
    
    According to Oy Online, a hacker could take over a user's computer
    simply by having the user click on a link to a "hostile Gopher site."  
    That one click would install and run any program the hacker chose on
    the victim's computer, and the victim might never know.
    
    "The program could, for example, delete information from the computer
    or collect information and send it out from the computer," Oy Online
    said in a release. "(It) could also install a so-called backdoor
    (program) that would enable the hostile attacker to access the
    computer later."
    
    All versions of Internet Explorer are believed to be vulnerable, the
    Star reported.
    
    Refusing to confirm the security flaw, the Microsoft spokesman said
    the company "feel(s) strongly that speculating on the issue while the
    investigation is in progress would be irresponsible and
    counterproductive to our goal of protecting our customers'
    information."
    
    And the spokesman added, "Responsible security researchers work with
    the vendor of a suspected vulnerability issue to ensure that
    countermeasures are developed before the issue is made public and
    customers are needlessly put at risk."
    
    After being embarrassed on an almost regular basis by security flaws
    in its products - including a debilitating problem found in its latest
    Windows XP operating system just days after its release - Microsoft
    began a companywide training program on security issues earlier this
    year.
    
    In January, Microsoft Chairman Bill Gates instructed employees to make
    software security a top priority.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 04:31:34 PDT