[ISN] Microsoft products also vulnerable to Mozilla flaw

From: InfoSec News (isn@private)
Date: Tue Jul 13 2004 - 01:29:04 PDT


By Paul Roberts
IDG News Service

Popular Microsoft products may be vulnerable to a security
vulnerability that is similar to one patched for the Mozilla Web
browsers last week.

Microsoft's MSN Messenger and Word word processing application both
support a feature that could give remote users access to functions
that could be used launch applications on Windows computers, according
to an alert from Secunia, which tracks software vulnerabilities.

A Microsoft spokeswoman said the company is investigating the reports,
but is not aware of any attacks using the vulnerabilities.

The applications both fail to restrict access to the "shell:"  
Universal Resource Identifier, a feature that allows Windows users or
software applications to launch programs associated with specific file
extensions such as DOC (associated with Word) or TXT (associated with
Notepad, the Windows text editing program), said Secunia, of

Malicious hackers could launch programs associated with specific
extensions using links embedded in Word documents or instant messages
sent using MSN. However, the vulnerability does not allow attackers to
pass instructions to the programs, which would allow more
sophisticated attacks, Secunia said.

On Thursday, the Mozilla Foundation issued patches for a similar flaw
in Windows versions of its Web browsers, Firefox and Thunderbird, and
the Mozilla Application Suite.

News of the Mozilla flaws came amid increasing interest in alternative
Web browsers after news broke about a number of serious security
vulnerabilities in Microsoft's Internet Explorer Web browser that were
being used in stealthy Web-based attacks.

According to data compiled by WebSideStory, a San Diego Web
measurement company, Internet Explorer's share of the browser market
dropped by 1% in the last month, the first noticeable decline since
the company began tracking the browser market in late 1999.

On July 2, Microsoft released a software update that disables a
Windows component called ADODB.Stream, which was used in the Web
attacks, and promised more updates for Windows and Internet Explorer
to address the security issues.

If necessary, Microsoft could issue a fix for the MSN Messenger and
Word flaws through its monthly software update process or an emergency
patch, the company spokeswoman said.

The Redmond, Wash., software company expressed displeasure at the
release of information on the product vulnerabilities, which were
first publicized in the Full-Disclosure discussion list, a public
online forum for those interested in computer software

"We continue to encourage responsible disclosure of vulnerabilities.  
We believe the commonly accepted practice of reporting vulnerabilities
directly to a vendor serves everyone's best interests, by helping to
ensure that customers receive comprehensive, high-quality patches for
security vulnerabilities with no exposure to malicious attackers while
the update is being developed," the company said in an e-mail

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Tue Jul 13 2004 - 04:09:35 PDT