[ISN] 30 unpatched holes in IE, says security researcher

From: InfoSec News (isnat_private)
Date: Wed Sep 10 2003 - 23:08:21 PDT

  • Next message: InfoSec News: "[ISN] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"

    By Sam Varghese
    September 11, 2003
    Microsoft may be releasing details of vulnerabilities every week but
    it is yet to tackle the 30 unpatched holes in Internet Explorer which
    have been documented by well-known security researcher Thor Larholm.
    Larholm, a former black hat and now a senior security researcher with
    PivX Solutuions, said today that seven more vulnerabilities had been
    added to the list he maintains, all of them having been discovered by
    Chinese researcher Liu Die Yu.
    "One of these new vulnerabilities exploits a new attack vector that
    has surfaced in IE lately, namely misdirecting user input," Larholm
    said. "This allows you to redirect a user's mouseclick to (for
    example) the OK button on a dialog asking for security confirmation by
    moving the browser window prior to the mouse being released.
    "This resurrects the debate on whether to disable some core
    functionality to heighten security, and areas such as programmatically
    moving the user's browser around is likely to be the first considered
    seeing as it historically impairs, rather than heightens, the user
    "The six other vulnerabilities are classic cross-domain scripting
    vulnerabilities that allow you to steal cookies and sensitive data
    from arbitrary websites, such as your online email or banking. When
    you couple these vulnerabilities with any of the known ways to load
    files from local security zones, you are able to read local files,
    plant files and execute arbitrary commands."
    Larholm said Liu Die Yu had published similar vulnerabilities in the
    past. "About half a dozen more vulnerabilities, quite similar, were
    published as well by Liu Die Yu, but all of those have either been
    patched long ago or explicitly patched by the latest cumulative IE
    patch, MS03-032.
    "Similarly, several of the vulnerabilities that remain unpatched are
    known to be under active investigation by the Microsoft Security
    Response Center, and I am confident that a secure patch is being
    prepared for prompt release."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 11 2003 - 01:20:35 PDT