[ISN] IE holes open up Web booby traps

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 23:05:04 PDT

  • Next message: InfoSec News: "Re: [ISN] Researchers predict worm that eats the Internet in 15 minutes"

    By Robert Lemos 
    Staff Writer, CNET News.com
    October 22, 2002, 1:21 PM PT
    An Israeli Web-application company has warned users of Internet
    Explorer that nine related security flaws in the program could be used
    by malicious hackers to gain access to a victim's computer files.
    GreyMagic Software said Tuesday that the vulnerabilities--eight of
    which it deemed critical--could be exploited using a specially coded
    Web page that would run malicious programs on a victim's computer if
    the victim visited the page.
    "Using these flaws in combination with other known flaws that can
    silently deliver files to the user's disk could result in full
    compromise of the client's computer," said Lee Dagon, head of research
    and development for GreyMagic.
    In addition to letting Net vandals steal private local documents, the
    flaws could let malicious hackers copy clipboard information, execute
    arbitrary programs and fool IE users by forging trusted Web sites, the
    company said in its .
    GreyMagic said Internet Explorer 5.5 and 6 are affected by the flaws
    but that the latest service packs to each of these versions of IE plug
    the holes.
    The bugs appear in how Internet Explorer caches Web objects. GreyMagic
    found the flaws after researching three different aspects of the
    Internet Explorer object model earlier this month, Dagon said.
    "In each session we found more vulnerabilities," he said.
    Seven of the flaws can grant an attacker full access to the victim's
    PC, while another makes the currently loaded document readable and the
    last lets an attacker read and write to the clipboard.
    "The attacker would need to know the name and exact path to (a) file,"  
    added Dagon, pointing out that the vulnerabilities don't let a vandal
    browse a victim's machine for files. "However, Windows has several
    sensitive files in relatively static locations, these could be grabbed
    and used against the victim." For example, the Windows password file
    is in the same location on every Windows computer and could be copied
    using the flaws.
    Upgrading Internet Explorer 5.5 to Service Pack 2 plugs the security
    holes, the company said. Patching Internet Explorer 6 with Service
    Pack 1 will fix the problems in that version of the program as well.  
    The latest updates for both versions of IE can be found through
    Microsoft's Windows Update page.
    Flaw-reporting flawed?
    GreyMagic Software released the news of the flaws at the same time it
    gave the information to Microsoft, saying that in the past "notifying
    Microsoft ahead of time and waiting for them to patch the reported
    issues proved...nonproductive."
    Because Microsoft only received news of the holes on Tuesday, the
    software giant couldn't confirm the existence of the vulnerabilities.  
    Testing the demo code provided by GreyMagic Software, however, showed
    that the flaws apparently were real.
    The Israeli Web company's refusal to notify Microsoft first, however,
    earned it the software giant's ire.
    "We are concerned by the way this report has been handled," a
    Microsoft representative said in a statement e-mailed to CNET
    News.com. "Publishing this report may put computer users at risk--or
    at the very least could cause needless confusion and apprehension."
    For more than a year, Microsoft has been fighting to rein in the
    public disclosure of flaws, issuing criticism of what it deems to be
    irresponsible reporting and sponsoring the formation of a group to set
    standards for disclosing vulnerabilities.
    In the past, software makers haven't been very responsive to security
    issues, but that's changing. Most researchers still believe that
    releasing information about flaws is the best way to warn the public.  
    However, the same researchers increasingly believe that giving the
    software's creator a fair amount of time to create a patch is the most
    responsible way to handle such incidents.
    Interpretations of what's fair, however, can vary--from a few days to
    a few months.
    According to Dagon, previous advisories that the company brought to
    the software titan's attention took anywhere from 3 months to more
    than 6 months to fix. Since then, he said, GreyMagic has lost
    "Microsoft takes quite a while to plug even the simplest security
    issue, leaving users exposed to risks for months at a time instead of
    letting them know about temporary workarounds," Dagon said.
    But Microsoft isn't the only one to voice concern about reports such
    as GreyMagic's. The open-source community was not happy when security
    company Internet Security Systems dropped a bomb by posting an
    advisory about a major flaw in the Apache Web server just hours after
    it had notified the development group.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 01:54:18 PDT