Switch to Firefox - Internet Explorer Code Exposes Risk In Unpatched Hole
Skip | 21 November, 2005 17:30
From CNET News.com - Today, several Internet security companies issued
advisories about a security hole exploit in the latest patched version
of Microsoft Internet Explorer v5.5 and v6.0.
The exploit could take advantage of several critical security flaws in the browser running on Windows XP Service Pack 2 (SP2) and on Windows 2000 SP4.
Once a user is tricked into visiting a malicious Web site, a flaw in javascript can be exploited automatically without user intervention.
"An attacker could use the exploit to run any code they want to on a person's system," said Thomas Kristensen, Secunia's chief technology officer. "It could be they want to launch some really nasty code on a user's system."
The flaw lies in a Javascript component of IE used for loading Web pages onto a computer, according to an advisory from SANS Internet Storm Center.
Microsoft has not yet released a patch for the exploit code, so users can attempt to work around the problem by either shutting off javascript or using another type of browser, the security firms advised.
Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DDOS attacks, which attempt to crash a system by flooding it with data, are considered less-severe security risks.
The exploit code was published by an organization called Computer Terrorism.
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem. It is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.
According to News.com, a Microsoft representative was not able to comment on the flaw or the exploit, but did say that the company is investigating reports of the possible vulnerability for customers using Internet Explorer while running Windows 2000 SP4 and Windows XP SP2.
"We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time," the representative said.
Microsoft, upon completion of its investigation, will take appropriate action to protect its customers by providing a patch as part of its monthly security bulletin program or in a separate security advisory, the representative added.
This continued security problem points to further and growing logical reasons to migrate to the open source software browser, Firefox. Not only is Firefox a faster browser, it offers greater security, is free and more and more companies are building support for it into their software and web services systems.
You can download the Firefox browser here: http://www.mozilla.org/products/firefox/
The exploit could take advantage of several critical security flaws in the browser running on Windows XP Service Pack 2 (SP2) and on Windows 2000 SP4.
Once a user is tricked into visiting a malicious Web site, a flaw in javascript can be exploited automatically without user intervention.
"An attacker could use the exploit to run any code they want to on a person's system," said Thomas Kristensen, Secunia's chief technology officer. "It could be they want to launch some really nasty code on a user's system."
The flaw lies in a Javascript component of IE used for loading Web pages onto a computer, according to an advisory from SANS Internet Storm Center.
Microsoft has not yet released a patch for the exploit code, so users can attempt to work around the problem by either shutting off javascript or using another type of browser, the security firms advised.
Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DDOS attacks, which attempt to crash a system by flooding it with data, are considered less-severe security risks.
The exploit code was published by an organization called Computer Terrorism.
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem. It is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.
According to News.com, a Microsoft representative was not able to comment on the flaw or the exploit, but did say that the company is investigating reports of the possible vulnerability for customers using Internet Explorer while running Windows 2000 SP4 and Windows XP SP2.
"We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time," the representative said.
Microsoft, upon completion of its investigation, will take appropriate action to protect its customers by providing a patch as part of its monthly security bulletin program or in a separate security advisory, the representative added.
This continued security problem points to further and growing logical reasons to migrate to the open source software browser, Firefox. Not only is Firefox a faster browser, it offers greater security, is free and more and more companies are building support for it into their software and web services systems.
You can download the Firefox browser here: http://www.mozilla.org/products/firefox/
Comments for post
Menu
calendar
| « | September 2008 | » | ||||
|---|---|---|---|---|---|---|
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | ||||
RSS Feed