Topic: Critical Alert for IE (FYI)  (Read 5254 times)

0 Members and 1 Guest are viewing this topic.

Toasty0

  • Guest
Critical Alert for IE (FYI)
« on: November 26, 2003, 06:55:08 pm »

A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.

Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.

Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.

Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.

The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.

Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.

The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.

A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.

Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.

The company could not be reached to comment on Yu's public release of the proof-of-concept exploits.

Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.

"To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as," the company explained.

http://siliconvalley.internet.com/news/article.php/3114171

Best,
Jerry  

EE

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #1 on: November 27, 2003, 03:13:21 am »
Man.. different colors please lol. I could barely read that

Demandred

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #2 on: November 27, 2003, 08:05:25 am »
*checks browser version*

K-Meleon 0.8. Yep, I'm safe.  

Toasty0

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #3 on: November 27, 2003, 10:19:16 am »
really? What scheme are you using?

 

jualdeaux

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #4 on: November 27, 2003, 10:49:21 am »
Quote:

*checks browser version*

K-Meleon 0.8. Yep, I'm safe.    




Also check browser. Firebird 0.7. Safe too.
 

mathcubeguy

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #5 on: November 27, 2003, 11:43:50 am »
Quote:

really? What scheme are you using?

   




Im using the default taldren sceme and the text color is almost as dark as the background.  

Towelie

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #6 on: November 27, 2003, 04:34:51 pm »
****REPOSTED IN DIFFERENT COLOR SO IT'S EASIER TO READ****
A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.

Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.

Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.

Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.

The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.

Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.

The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.

A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.

Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.

The company could not be reached to comment on Yu's public release of the proof-of-concept exploits.

Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.

"To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as," the company explained.
http://siliconvalley.internet.com/news/article.php/3114171

Best,
Jerry

****END REPOST***

Towelie

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #7 on: November 27, 2003, 04:36:29 pm »
  There's color schemes? Wow, I should start browsing the personalized settings more...

Toasty0

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #8 on: November 27, 2003, 09:57:25 pm »
Quote:

Quote:

really? What scheme are you using?

   




Im using the default taldren sceme and the text color is almost as dark as the background.  




Hmmm...I'm using the Taldren testing setting. I don't think there's that big a difference. I see the text color just fine on a black bg. Hmmm...I'm truly baffled as to why you cannot.

Shucks, I'll try a different color next. Sorry to have caused you and problems.

Best,
Jerry  

Toasty0

  • Guest
Critical Alert for IE (FYI)
« Reply #9 on: November 26, 2003, 06:55:08 pm »

A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.

Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.

Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.

Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.

The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.

Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.

The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.

A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.

Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.

The company could not be reached to comment on Yu's public release of the proof-of-concept exploits.

Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.

"To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as," the company explained.

http://siliconvalley.internet.com/news/article.php/3114171

Best,
Jerry  

EE

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #10 on: November 27, 2003, 03:13:21 am »
Man.. different colors please lol. I could barely read that

Demandred

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #11 on: November 27, 2003, 08:05:25 am »
*checks browser version*

K-Meleon 0.8. Yep, I'm safe.  

Toasty0

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #12 on: November 27, 2003, 10:19:16 am »
really? What scheme are you using?

 

jualdeaux

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #13 on: November 27, 2003, 10:49:21 am »
Quote:

*checks browser version*

K-Meleon 0.8. Yep, I'm safe.    




Also check browser. Firebird 0.7. Safe too.
 

mathcubeguy

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #14 on: November 27, 2003, 11:43:50 am »
Quote:

really? What scheme are you using?

   




Im using the default taldren sceme and the text color is almost as dark as the background.  

Towelie

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #15 on: November 27, 2003, 04:34:51 pm »
****REPOSTED IN DIFFERENT COLOR SO IT'S EASIER TO READ****
A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.

Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.

Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.

Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.

The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.

Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.

The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.

A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.

Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.

The company could not be reached to comment on Yu's public release of the proof-of-concept exploits.

Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.

"To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as," the company explained.
http://siliconvalley.internet.com/news/article.php/3114171

Best,
Jerry

****END REPOST***

Towelie

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #16 on: November 27, 2003, 04:36:29 pm »
  There's color schemes? Wow, I should start browsing the personalized settings more...

Toasty0

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #17 on: November 27, 2003, 09:57:25 pm »
Quote:

Quote:

really? What scheme are you using?

   




Im using the default taldren sceme and the text color is almost as dark as the background.  




Hmmm...I'm using the Taldren testing setting. I don't think there's that big a difference. I see the text color just fine on a black bg. Hmmm...I'm truly baffled as to why you cannot.

Shucks, I'll try a different color next. Sorry to have caused you and problems.

Best,
Jerry  

Toasty0

  • Guest
Critical Alert for IE (FYI)
« Reply #18 on: November 26, 2003, 06:55:08 pm »

A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.

Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.

Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0.

Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.

The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.

Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.

The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.

A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.

Microsoft, which usually issues cumulative patches to fix Internet Explorer vulnerabilities, has adopted a new schedule to release fixes on the second Tuesday of every month. However, the company has said it would break that schedule if active exploits are circulating and causing major damage.

The company could not be reached to comment on Yu's public release of the proof-of-concept exploits.

Separately, the software giant released a knowledge base advisory to fix a flaw in the Microsoft Exchange Server 2003. The company said the issue related to the way Windows SharePoint Services use Kerberos authentication.

"To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS, and then configure an SPN for the domain account that the virtual server is running as," the company explained.

http://siliconvalley.internet.com/news/article.php/3114171

Best,
Jerry  

EE

  • Guest
Re: Critical Alert for IE (FYI)
« Reply #19 on: November 27, 2003, 03:13:21 am »
Man.. different colors please lol. I could barely read that