Forwarded from: William Knowles <wk@private> http://www.eweek.com/article2/0,4149,1528043,00.asp By David Morgenstern February 16, 2004 A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. The quick attack appears to contradict some optimistic expectations that the recent leak of Windows 2000 and NT code would not pose a significant opportunity for hackers. According to a message posted by SecurityGlobal.net LLC's Security Tracker Web site, a vulnerability was reported in Microsoft Internet Explorer Version 5 that lets a "remote user execute arbitrary code on the target system." A hacked bitmap file can trigger an integer overflow and execute arbitrary code, the security bulletin said. The author of the warning said that this flaw was uncovered by reviewing the recently leaked Windows source code. "I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long," observed the anonymous programmer in his warning. The code is a portion of source from Windows NT 4.0 and Windows 2000 that made its way onto the Internet Thursday. "IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit..." wrote the author of the warning. No patch was available for download from Microsoft's Security Web site and the company was not available for comment. Several analysts had predicted no immediate threat from the source code leak, since the amount of code presented on the Internet was limited. However, in comments offered on Friday, Ken Dunham, malicious-code manager at iDefense Inc., based in Reston, Va., said that vulnerabilities in the older Windows would likely be much easier to discover and exploit now after the leak of the source code. "There are a lot of implications to this. The situation just got a lot worse, in terms of vulnerabilities," he said in an interview with an eWEEK reporter. "I imagine we'll be seeing a lot more this year because of this. There's certainly enough in [the leaked code] to play with." This warning follows a string of recent vulnerabilities concerning Internet Explorer. Earlier this month Microsoft released a cumulative patch covering a dangerous Internet Explorer vulnerability that let attackers trick customers into visiting malicious sites. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 17 2004 - 09:26:29 PST