New IE gopher flaw enables remote PC attacks

IDG News Service - Another security flaw identified in Microsoft Corp.'s Internet Explorer 5.5 and 6.0 Web browsers has the potential to give a remote user access to a host computer, according to a Finnish security company.
The attack exploits IE's built-in gopher client. Gopher, a nearly obsolete protocol for accessing remote directories and files, has been largely superseded by the Web and HTTP.
The code in IE that parses gopher replies contains an exploitable buffer overflow bug. A malicious server could be used to run arbitrary code on an IE user's system, Online Solutions Oy said in a security advisory issued yesterday.
The attack can be launched via a Web page or an HTML mail message that redirects the user to a malicious gopher server when the user views them. The exploiter could do anything a regular user could do on the system -- retrieve, install or remove files, or upload and run programs.
IE users can protect themselves from the flaw by disabling the gopher protocol. Since very few gopher servers still exist on the Internet today, this is unlikely to cause operational problems, the company said.
Jyvaskyla, Finland-based Online Solutions said it informed Microsoft of the vulnerability May 20 and that Microsoft has indicated that it's working on a patch.
A Microsoft spokesman said the Microsoft Security Response Center is investigating the issue, just as the company does with every report it receives of security vulnerabilities affecting Microsoft products.
"At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the spokesman said.
"Microsoft is moving forward on the investigation with all due speed and, when it is completed, we will take the action that best serves Microsoft's customers," the spokesman said.
The spokesman said Microsoft was concerned with the way the report of this vulnerability was handled. He said publishing the report could put computer users at risk -- or at the very least could cause needless confusion and apprehension. He said responsible security researchers work with the vendor of a suspected vulnerability to ensure that a patch is developed before the issue is made public.
Until a patch is released, Online Solutions suggests that users follow a simple way to disable processing and displaying gopher pages by defining a nonfunctional gopher proxy in the Internet Options menu.
Users should select Tools -> Internet options -> Connections; click on "LAN settings"; check "Use a proxy server for your LAN"; click on "Advanced..."; in this area, where users can define proxy servers to be used with different protocols, go to the gopher text field and enter "localhost", and "1" in the port text field. This will stop IE from fetching any gopher documents, the company said.

Linda Rosencrance of Computerworld contributed to this report.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.