resource center
  See your link here
|
Subscribe to Computerworld IDG News Service -
Security analysts and vendors are reporting a flaw in Microsoft Corp.'s Internet Explorer browser that could allow malicious code to run and allow a hacker to take control of a user's computer.
Microsoft was informed of a vulnerability with IE's drag-and-drop function in August 2005, after it was first found by Matthew Murphy, said Noam Rathaus, chief technical officer at Beyond Security Ltd. in Netanya, Israel today. The company, which helped Murphy report the flaw to Microsoft last year, runs an independent security site called SecuriTeam.
Websense Inc., which also issued a warning today, wrote that a specially crafted Web site could trick a user into dragging and dropping an item from one window to the other. After the user released the mouse in the newly focused window, code could run without the user's consent, Websense said.
Microsoft said it wouldn't issue an immediate patch, but will instead wait to issue a fix in Service Pack 2 for Windows Server 2003 and Windows XP Service Pack 3, Rathaus said.
Microsoft officials were not immediately available for comment.
The SecuriTeam site went public with the vulnerability after consulting Microsoft, Rathaus said. SecuriTeam detailed three methods to prevent the flaw from being exploited.
SecuriTeam's advisory criticized Microsoft's decision not to issue a patch, saying the company's "conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft."
Further, Websense said the vulnerability is not as easy to exploit as some others, but a risk remains.
"They [Microsoft] don't see the issue being that important," Rathaus said. "They are not going to fix it any time soon."
As part of its monthly patch update, Microsoft plans to release seven fixes tomorrow for Windows Media Player, Windows and Microsoft Office.
IDG.net
Mitigating Litigation Risk with Email Management Tools
Does your company have an email retention policy that protects it when litigation occurs? IDC discusses effective email retention policies and the role...
Managing And Protecting Your Ever Increasing Mobile Assets
Learn best practices for desktop and application virtualization, computer security, and computer life-cycle management....
Protecting Content During Business Disruption: Are You Covered?
Learn how ECM is helping Tulane University and the 13th Judicial Circuit Court implement disaster readiness programs....
Why Compliance Pays
This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data...
Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
How do organizations pass their PCI DSS audits yet still suffer security breaches? Paying attention to PCI DSS checklists only partially secures the...
Best Practices for Managing Business Risks from the Use of IT
(Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of...
Authentication as a Service by Forrester Research
Authentication-as-a-Service: understand the benefits of two factor authentication and the best ways to implement it....
Sun OpenSSO Enterprise Webinar
(Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access...
Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
Since the adoption of SOX, much has been learned about IT compliance. Discover how to make SOX efforts more effective in "Sustaining Sox...
Agile Enterprise Content Management (ECM) for Rapid ROI
(Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential...
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
