New Explorer 6 active scripting flaw reported

[BoredShirtless]

Don't be too shocked.

New Explorer 6 active scripting flaw reported


Microsoft said it is 'aggressively' investigating the reports

Story by Todd R. Weiss

NOVEMBER 26, 2003 ( COMPUTERWORLD ) - Security researchers in Denmark are warning users to disable "active scripting" in Microsoft Corp.'s Internet Explorer 6.0 Web browser to prevent attackers from targeting and taking remote control of their PCs.
Niels Rasmussen, CEO of security research company Secunia ApS in Copenhagen, said yesterday that the latest vulnerabilities "allow malicious Web sites and viruses to bypass the security zone settings in Internet Explorer."

The discovery was made by researcher Liu Die Yu, who posted it on public reporting bulletin boards, Rasmussen said. The report said the problem combines "multiple 'minor' vulnerabilities" and "are as simple to exploit as the three-month-old Object Data vulnerability, which was exploited by several spam mails and pornographic Web pages" in recent months, Rasmussen said.

Presently, the only fix is to disable Explorer's active scripting so that the feature can't be used to attack the machine, according to Secunia. Other browsers that don't have the feature, such as Netscape Navigator, Mozilla or Opera, can be used without fear of attacks.

Art Manion, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, confirmed that his testing of the reported vulnerability showed that at least one of the reported problems can be duplicated on an Explorer 6 machine that has already been fully patched with existing Microsoft updates, meaning that the vulnerability does exist.

Manion said the problem is a "cross-domain scripting vulnerability," which incorrectly allows a script from one Web site to run on another domain when using Explorer 6. That means an attacker could potentially access data on a victim's PC, he said.

CERT has posted instructions on how to disable active scripting in Explorer 6 to protect users from attacks until a fix is found.

Debby Fry Wilson, director of the security business unit at Microsoft, said in a statement last night that the company is "investigating new public reports of possible vulnerabilities in Internet Explorer," based on the latest postings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."

If the flaw is confirmed, Microsoft "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs," she said.

Microsoft released Microsoft Security Bulletin MS03-048 on Nov. 11, which provided a cumulative patch for Internet Explorer, Wilson said. "We continue to encourage customers to install this security update -- and to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

Wilson also said Microsoft is concerned that the latest vulnerability reports weren't sent to the company before being made public, giving attackers time to use it for new attacks on users.

Reports of the vulnerabilities "were not disclosed responsibly, potentially putting computer users at risk," she said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities, with no exposure to malicious attackers while the patch is being developed."

[Slartibartfast]

A flaw in IE 6? That's impossible.

[BoredShirtless]

Yeah, I thought so too until seeing this.

[Jason von Evil]

Wait, people actually use IE, still?

[Chardok]

I'm seeing more and more why so many people extoll the virtues of MoZilla...Gotta thank Durandal for showing me the light...

[muse]

Like, OMG! IE has like a security bug?! OMG, like we're all going to die!

Seriously, ho-hum, what else is new, Microsoft security leaks water like a fishnet. Now if they manage to go a year without a flaw coming up that requires a critical security update it'll be news. Hooray for Opera!

[Einhander Sn0m4n]

Only one small problem with turning off RadioActiveHaX in IE: M$ in their infinite wisdom decided to HARD-CODE a warning prompt that comes up every time IE finds a Craptivex control (which can happen dozens of times on one web page!). Here's the kicker: The only way to get rid of this crap is to reenable ActiveHaX. Correction: There's another way. It's called Mozilla Firebird.

[Bill Door]

Another? how many unfixed security flaws is it now? Can someone mess with XP and remove IE? I'm starting to get very worried.

And praise Durandal for showing me the Light that is MoZilla Firebird!

[Einhander Sn0m4n]

Another? how many unfixed security flaws is it now? Can someone mess with XP and remove IE? I'm starting to get very worried.

And praise Durandal for showing me the Light that is MoZilla Firebird!

Maybe we should add rasons for why Mozilla is so good and IE so bad in the Board FAQ...

[Uraniun235]

Wait, people actually use IE, still?

They're called lazy computer users.

[Slartibartfast]

99% don't even know it's called Idiot Exploiter. They just press the rubber "browse" button in their SuperHyperTurboKeyboards and IE opens.

[darthdavid]

*huggles mozilla 1.5* *stares menacingly at stupid sister who refuses to use mozilla and keeps my pressscious in jeporady with retarded hax in ie*

[darthdavid]

Though between zone alarm, the firewall in my router, spyware gaurd and norton antivirus it doubt that even ie, even in the hands of my sister can harm this box.

[Vertigo1]

*huggles mozilla 1.5* *stares menacingly at stupid sister who refuses to use mozilla and keeps my pressscious in jeporady with retarded hax in ie*

Theres a good way to solve that. Delete the IE shortcut on the desktop and create a new account for her....and deny her the right to create new icons on the desktop. Then the only way she'd be able to use it is if she used explorer to browse the hard drive, then typed in a URL.

[Einhander Sn0m4n]

*huggles mozilla 1.5* *stares menacingly at stupid sister who refuses to use mozilla and keeps my pressscious in jeporady with retarded hax in ie*

Theres a good way to solve that. Delete the IE shortcut on the desktop and create a new account for her....and deny her the right to create new icons on the desktop. Then the only way she'd be able to use it is if she used explorer to browse the hard drive, then typed in a URL.

Better yet (and this one's so evil only a BOFH would dream it up!) Get Kerio Firewall, 'burn' it in (turn all your internet apps on and create 'allow' rules for them), and then when you turn on IE, tell Kerio to DENY IE access to the Net! Same for Explorer.exe. It works for me!

Then get yourself a nice LART.




P.S. /me is the BOFH of the Royal House of Cox-Terrell and carries multiple LARTs

[phongn]

I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

[Einhander Sn0m4n]

I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

In all likelihood MS won't because there's only one explanation for such blatant security issues: MS sold its IE users to the spyware companies!

[phongn]

I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

In all likelihood MS won't because there's only one explanation for such blatant security issues: MS sold its IE users to the spyware companies!

Don't be such an idiot, Ein. If you haven't noticed, most spyware gets installed when users install various programs such as Kazaa.

[Einhander Sn0m4n]

I hope Microsoft ports over the IE hardening tools from 2K3 Server to XP SP2.

In all likelihood MS won't because there's only one explanation for such blatant security issues: MS sold its IE users to the spyware companies!

Don't be such an idiot, Ein. If you haven't noticed, most spyware gets installed when users install various programs such as Kazaa.

LOL! I think i should have said 'browser hijackers'. Besides, maybe I am a bit too conspiracy-theory-minded today...

[darthdavid]

Complete lockout is the first thing i thought of but long story short, between my mom who gets scared every time i make a minor change to the computer and my sister who has some serious crap on me i've got no real way to fix their security lapses without getting my self hosed. So i'm going for the "scare them into using mozilla by telling them every time an ie bug is found" approach. It should sink in eventually at which point i nuke all access to ie and hope they don't notice.