[ISN] Security vulnerabilities persist after IE 6 patch

From: InfoSec News (isnat_private)
Date: Fri Sep 13 2002 - 03:55:21 PDT

  • Next message: InfoSec News: "Re: [ISN] Insecurity plagues US emergency alert system"

    http://www.nwfusion.com/news/2002/0912mssec.html
    
    By Paul Roberts
    IDG News Service 
    09/12/02 
    
    Only three days after the official release of the first patch for
    Microsoft's Internet Explorer Version 6 Web browser, security experts
    are raising concerns about security vulnerabilities that were not
    addressed by the company.
    
    The patch release, known as "Service Pack 1" was posted Monday on
    Microsoft's Web site and contains fixes for more than 300 issues with
    Internet Explorer 6, which was first released with the Windows XP
    operating system in October 2001. Despite the fixes, however, security
    experts warn that significant vulnerabilities remain even after
    applying the patch.
    
    "Security-wise, I would say it's pretty bad right now," says Thor
    Larholm, a security researcher for Pivx Solutions, a Newport Beach,
    Calif., security consulting company.
    
    "You can do anything to anyone's Web page with Internet Explorer 6.  
    It's wide open to anyone."
    
    Top among Larholm and other security experts' concerns are
    vulnerabilities that make it possible for attackers to take advantage
    of holes in the web of restrictions and security rules that make up
    Microsoft's Dynamic HTML Object Model, which governs the interaction
    of windows, dialog boxes and Web page frames.
    
    An advisory issued recently by the Israeli security company GreyMagic
    Software warns about the potential dangers, when using Internet
    Explorer, including Version 6 Service Pack 1, of what is referred to
    as "cross-frame scripting."
    
    Intended to make it easy to pass information back and forth to
    different parts of a Web page, cross-frame scripting also makes it
    possible for attackers, once their Web page is loaded by the Internet
    Explorer, to use JavaScript to change the URL displayed in one Web
    page sub-frame, referred to as a "child" to match that of the main Web
    page or "parent," thus circumventing a host of security rules that
    prohibit the free interaction between frames displaying different
    Internet domains. Once in control of the parent frame, the URL of that
    frame can be replaced with a new script that allows an attacker to
    read information from cookies and other files containing a user's
    personal information.
    
    And, experts say, because of the tight integration between Microsoft's
    Internet Explorer browser and its other Office products, such as the
    popular e-mail program Outlook, there is no shortage of ways to trick
    unsuspecting users into visiting a Web page that a hacker controls.
    
    "This can be done in many ways," said Lee Dagon, a researcher at
    GreyMagic.
    
    "For example, some versions of Outlook Express and Outlook render
    e-mails sent in HTML format ... this means that scripts can execute
    and therefore the vulnerability becomes exploitable by e-mail," Dagon
    said.
    
    While not all of the vulnerabilities Larholm identified are severe,
    the Denmark-based researcher said that the sheer number of different
    security holes make it easy for attackers to move freely once they
    have gained access to a machine using Internet Explorer and running
    Windows.
    
    "They all add up," Larholm said in reference to the security holes.  
    "Some are mild, some are severe, but when you combine them, they can
    be devastating."
    
    An example of the cumulative effect of such holes can be found in an
    advisory posted on Malware.com, a security Web site. Taking advantage
    of three separate Internet Explorer vulnerabilities, one reported more
    than a year ago, those who run the Web site were able to demonstrate
    how a program could be silently placed and run on a remote computer
    with no user interaction other than visiting an attacker's Web page
    and having the Internet Explorer and Windows Media Player -- both
    standard Microsoft Windows applications -- installed.
    
    Such vulnerabilities are particularly dangerous when coupled with an
    unsuspecting user, Dagon said.
    
    "Users are generally trusting their browser to keep them safe and most
    of them don't even realize that a simple Web page may be able to
    access their private documents," Dagon said.
    
    When asked for comment on the issues raised by Larholm and other
    security experts, a spokesman for Microsoft said that the company
    firmly believes it acts in the best interest of customers, and that
    Microsoft's security experts often reach different conclusions about
    the technical feasibility of the possible attacks identified by
    third-party security experts.
    
    Despite the vulnerabilities he found, Larholm still recommends that
    Internet Explorer users upgrade to Service Pack 1.
    
    "If you're going to use Internet Explorer, I would recommend upgrading
    to Service Pack 1," Larholm said. "The vulnerabilities that exist in
    [Internet Explorer version 6.0] Service Pack 1 exist in the 5.0, 5.5
    and 6.0 browsers too, and the improvements in Service Pack 1 are
    adequate to justify upgrading."
    
    In addition, the lack of attention to vulnerabilities in other browser
    platforms doesn't mean that those are more secure, Larholm said. "Even
    though Internet Explorer is very high profile on vulnerabilities
    doesn't mean that those vulnerabilities don't exist in other browsers
    as well."
    
    Indeed, other browsers may be just as susceptible as Internet
    Explorer, but are much less commonly used.
    
    "The Netscape, Opera, and Konqueror browsers, nobody writes exploits
    for those [browsers] because nobody really cares," Larholm said.  
    "They'll have to have more than 1 percent or 2 percent of users before
    people start to notice."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 13:08:56 PDT