Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Virus and Vulnerability Roundup
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

New Internet Explorer holes causing alarm

The four flaws could allow hackers to run attack code on Windows systems

June 11, 2004 12:00 PM ET

IDG News Service - Four new holes have been discovered in the Internet Explorer (IE) Web browser that could allow malicious hackers to run attack code on Windows systems, even if those systems have installed the latest software patches from Microsoft Corp., security experts warned.
Some of the flaws are already being used to attack Windows users and include a glitch that allows attackers to fake or "spoof" the address of a Web page, as well as vulnerabilities that enable malicious pages from the Internet to be handled by IE with very little scrutiny or security precautions.
A Microsoft spokeswoman acknowledged the reports and said the software company is looking into the attacks and is considering what steps to take, including the release of an emergency security patch to address the problems.
Word of the four vulnerabilities surfaced in security discussion newsgroups in recent weeks. Two of the vulnerabilities, first disclosed by someone using the name "Rafel Igvi" and posted to the NTBugtraq discussion list, allows attackers to load content from malicious Web pages while displaying the Web address of legitimate sites in the Web browser's address bar. Attackers could trick users into clicking on the bogus Web links using e-mail messages or by linking from other Web pages.
The vulnerability is very similar to another hole uncovered in December that allowed attackers to hide the real location of a Web page by including the characters %01 before the @ symbol in a URL. The new vulnerability allows attackers to hide the actual address of the Web page that's being loaded by prefacing the address with the characters ::/ with some IE Web site addresses, according to security company Secunia.
"Conceptually, it's very similar to the %01 problem, and [the flaw] is in a related part of the Internet Explorer code," said Thor Larholm, senior security researcher at PivX Solutions LLC.
Another unpatched hole, called a "cross-zone scripting" vulnerability, allows attackers to trick IE into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, Copenhagen-based Secunia said.

When combined, the address-spoofing and cross-zone scripting holes can allow a potent and stealthy attack, with attackers using the spoofing hole to trick IE into thinking that it's on a safe Web site, even as it loads malicious content from another part of the Internet, Larholm said.
"The address spoofing makes sure [the attacker] can load content from his site, and the cross-zone scripting hole makes sure he can


Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Jump to comments

Viruses

Additional Resources

Microsoft
Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess.
Microsoft
Review how one energy firm tightened protection and simplified IT work using business-ready security solutions.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

White Papers & Webcasts

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.  

Employee Web Use and Misuse
Download this new White Paper today!  

The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.

Get More from Your IT Budget
Download this new white paper today!  

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!


IT Jobs