[ISN] More security hiccups for IE

From: InfoSec News (isn@private)
Date: Thu Nov 18 2004 - 03:20:47 PST


http://news.com.com/More+security+hiccups+for+IE/2100-1002_3-5457105.html

By Robert Lemos 
Staff Writer, CNET News.com
November 17, 2004

Microsoft's Internet Explorer has become a turkey shoot for flaw
finders.

This week, three more vulnerabilities were found in version 6 of the
software giant's flagship Web browser, security information provider
Secunia said on Wednesday. That brings the total number of IE
vulnerabilities disclosed in the past two months to 19, including
eight flaws fixed by Microsoft during its October patch cycle.

The latest flaws were found by two different researchers, Secunia
said. Two could be used together to allow malicious content to bypass
an mechanism in Microsoft Windows XP Service Pack 2 that alerts people
about potentially harmful programs, Secunia stated. The third
vulnerability could be used to overwrite the cookies of a trusted site
to hijack a Web session, if the site handles authentication in an
insecure manner, according to that advisory.

The flaws were rated "moderately critical" and "not critical,"  
respectively, by Secunia.

"We have not been made aware of any active attacks against the
reported vulnerabilities or customer impact at this time, but we are
aggressively investigating the public reports," Microsoft said in a
statement sent to CNET News.com.

The company said that customers who needed advice should visit its
software security site and its PC Protect site for home users.  
Microsoft also criticized the researchers for publicizing the flaws
without allowing it to work to solve the problems first.

"Microsoft is concerned that this new report of a vulnerability in
Internet Explorer was not disclosed responsibly, potentially putting
computer users at risk," the company said in the statement. "We
believe the commonly accepted practice of reporting vulnerabilities
directly to a vendor serves everyone's best interests."

Security researchers and hackers, however, are not paying heed to the
software giant's standard chastisement of public disclosure. In the
past two months, flaw finders have publicized critical Internet
Explorer vulnerabilities and a slew of security issues in Service Pack
2, the company's latest update to Windows XP.

Already, viruses have started to use the critical Internet Explorer
flaw to spread.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Nov 18 2004 - 04:26:54 PST