[ISN] New security flaw in Outlook, IE

From: InfoSec News (isnat_private)
Date: Thu Jul 11 2002 - 04:01:22 PDT

  • Next message: InfoSec News: "Re: [ISN] President's advisor predicts cyber-catastrophes unless security improves"

    By Robert Lemos 
    Staff Writer, CNET News.com
    July 10, 2002, 5:25 PM PT
    A Danish security researcher warned users of Microsoft's Internet
    Explorer, Outlook and Outlook Express applications that a recently
    discovered software flaw could leave their system open to malicious
    code carried on Web pages or in e-mails.
    In an advisory released Wednesday, Thor Larholm, a security researcher
    and partner at risk-assessment company PivX Solutions, warned that
    HTML objects embedded in Web pages and e-mails could carry code that
    allows an attacker to check out victims' cookie files, read their
    documents, and execute programs on their computer.
    The bug, known as a cross-domain scripting flaw, was discovered on
    June 25, and information about it has been posted on several security
    lists since then. Larholm also informed Microsoft of the bug the day
    it was discovered.
    "Since this is possibly very publicly known...I have decided to
    release this advisory after only two weeks time," Larholm said in the
    Microsoft thought Larholm had overstated the seriousness of the flaw.  
    "Thor's advisory doesn't make it clear that there are significant
    mitigating factors associated with the issue," said a company
    representative, adding that people who limited their browsing to
    trusted sites would be safe as would people who had installed one of
    the software giant's patches for its e-mail clients.
    The company chose to lambaste Larholm for disclosing the flaw too
    quickly. "It's a shame that Thor chose to publicize this issue before
    the patch could be completed, because by doing so, he's significantly
    increased the risk to customers," the representative said.
    The amount of information disclosed about a flaw, and how fast
    consultants make the disclosure, has been a point of contention
    between software makers and the bug finders based at security
    companies. Recent research suggests, however, that the corporate
    customers who suffer from software maker's slipups actually want flaws
    disclosed more quickly.
    Hackers and security experts frequently find software flaws in
    Microsoft's Internet Explorer. In June, Microsoft released a patch for
    an IE flaw that allowed attackers to run code on a victim's computer
    by exploiting links to an old pre-Web protocol known as Gopher. The
    month before that, the company released a patch for IE that fixed six
    different flaws.
    To repair the current problem, Larholm recommended that users disable
    ActiveX in the security settings for Internet Explorer, or run IE and
    Outlook in "Restricted" mode, at least until Microsoft releases a
    Microsoft said a patch will be available soon.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 06:58:10 PDT