StarDestroyer.Net BBS

New Explorer 6 active scripting flaw reported


Microsoft said it is 'aggressively' investigating the reports

Story by Todd R. Weiss

NOVEMBER 26, 2003 ( COMPUTERWORLD ) - Security researchers in Denmark are warning users to disable "active scripting" in Microsoft Corp.'s Internet Explorer 6.0 Web browser to prevent attackers from targeting and taking remote control of their PCs.
Niels Rasmussen, CEO of security research company Secunia ApS in Copenhagen, said yesterday that the latest vulnerabilities "allow malicious Web sites and viruses to bypass the security zone settings in Internet Explorer."

The discovery was made by researcher Liu Die Yu, who posted it on public reporting bulletin boards, Rasmussen said. The report said the problem combines "multiple 'minor' vulnerabilities" and "are as simple to exploit as the three-month-old Object Data vulnerability, which was exploited by several spam mails and pornographic Web pages" in recent months, Rasmussen said.

Presently, the only fix is to disable Explorer's active scripting so that the feature can't be used to attack the machine, according to Secunia. Other browsers that don't have the feature, such as Netscape Navigator, Mozilla or Opera, can be used without fear of attacks.

Art Manion, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, confirmed that his testing of the reported vulnerability showed that at least one of the reported problems can be duplicated on an Explorer 6 machine that has already been fully patched with existing Microsoft updates, meaning that the vulnerability does exist.

Manion said the problem is a "cross-domain scripting vulnerability," which incorrectly allows a script from one Web site to run on another domain when using Explorer 6. That means an attacker could potentially access data on a victim's PC, he said.

CERT has posted instructions on how to disable active scripting in Explorer 6 to protect users from attacks until a fix is found.

Debby Fry Wilson, director of the security business unit at Microsoft, said in a statement last night that the company is "investigating new public reports of possible vulnerabilities in Internet Explorer," based on the latest postings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."

If the flaw is confirmed, Microsoft "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs," she said.

Microsoft released Microsoft Security Bulletin MS03-048 on Nov. 11, which provided a cumulative patch for Internet Explorer, Wilson said. "We continue to encourage customers to install this security update -- and to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

Wilson also said Microsoft is concerned that the latest vulnerability reports weren't sent to the company before being made public, giving attackers time to use it for new attacks on users.

Reports of the vulnerabilities "were not disclosed responsibly, potentially putting computer users at risk," she said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities, with no exposure to malicious attackers while the patch is being developed."

Bill Door wrote:Another? how many unfixed security flaws is it now? Can someone mess with XP and remove IE? I'm starting to get very worried.

And praise Durandal for showing me the Light that is MoZilla Firebird!

Aya wrote:Wait, people actually use IE, still?

darthdavid wrote:*huggles mozilla 1.5* *stares menacingly at stupid sister who refuses to use mozilla and keeps my pressscious in jeporady with retarded hax in ie*

Vertigo1 wrote:

darthdavid wrote:*huggles mozilla 1.5* *stares menacingly at stupid sister who refuses to use mozilla and keeps my pressscious in jeporady with retarded hax in ie*

Theres a good way to solve that. Delete the IE shortcut on the desktop and create a new account for her....and deny her the right to create new icons on the desktop. Then the only way she'd be able to use it is if she used explorer to browse the hard drive, then typed in a URL.

phongn wrote:I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

Einhander Sn0m4n wrote:

phongn wrote:I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

In all likelihood MS won't because there's only one explanation for such blatant security issues: MS sold its IE users to the spyware companies!

phongn wrote:

Einhander Sn0m4n wrote:

phongn wrote:I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

In all likelihood MS won't because there's only one explanation for such blatant security issues: MS sold its IE users to the spyware companies!

Don't be such an idiot, Ein. If you haven't noticed, most spyware gets installed when users install various programs such as Kazaa.