Jump to content


Photo

Major unpatched bugs found in MS IE v6


  • Please log in to reply
48 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 09 June 2004 - 03:49 PM

We've seen this with way too much frequency, but it cannot be ignored and needs to be reviewed, especially since the MS Security Bulletins for June 2004 were just released, with no mention of IE fixes:

Major unpatched bugs found in MS IE v6 - Extremely critical
08 June 2004
- http://www.theinquir.../?article=16445

- http://secunia.com/advisories/11793/

- http://archives.neoh...04-06/0104.html

- http://news.com.com/...g=st.util.print
June 9, 2004
"...The flaws are apparently being used to install the i-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups, mainly pornographic ads...The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics. A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-mails sent to both companies for comment were not immediately answered..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 brownda7

brownda7

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 10 June 2004 - 07:07 AM

Yup,

Theres already a discussion going in the security warnings topic about this. The scariest thing about this is the microsoft press statement

A Microsoft spokesman issued a statement last night, saying, "Microsoft is investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer which can enable a malicious user to execute code on a computer system. The company is monitoring the situation closely (and) is committed to helping customers keep their information safe."

Doesn't that just make you feel better.....................................NOT!!

brownda

#3 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 10 June 2004 - 09:45 AM

I’ve said it before, and I’ll say it again:
My opinion of Micro$oft is getting lower by the day. :thumbsdown:
Right now it is somewhere between the RIAA and the jerk that stole my car.

Any news on when a patch might be issued?

#4 spyware fighter

spyware fighter

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 June 2004 - 04:28 PM

Well, guys... I have given up the battle with the IE vulnerabilities and simply changed the browser instead of filling my disk space with all those patches that keep multiplying day by day....

Yes, I have to share this one with you. I visited Microsoft pages yesterday with Mozilla and the following warning appeared:

"Warning: You are viewing this page with an unsupported Web browser. This Web site works best with Microsoft Internet Explorer 5.01 or later or Netscape Navigator 6.0 or later."

Well, thank you Microsoft for advertising your great :evilgrin: product!


:rofl:

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 10 June 2004 - 07:27 PM

More info on this ('just keeps on coming):

- http://www.computerw...316298&eid=-255
"...In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays executing anything immediately but instead uses another unknown vulnerability to run another file which in turn runs some script. This script is then used to run more script. And finally that script is used to run an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched. That exploit -- Adodb.stream -- has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user's hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions. By using the unknown exploits, code is installed within the help file window, all security efforts are bypassed, and the Adodb.stream exploit is then used to download files on the Internet direct to the hard disk. What this means in reality is that if you click on a malicious link in an email or on the Internet, a malicious user can very quickly have complete control of your PC. And there is no patch available...With the code already available on the Net, this is effectively a security nightmare...unless you're a Mozilla or Opera user that is."

Edit/Add: See this thread > http://www.spywarein...?showtopic=5969

Edited by apluswebmaster, 10 June 2004 - 07:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 11 June 2004 - 04:54 PM

Well, well, well...'just got an e-mail that says Uncle Sam is now involved in this one:

- http://www.us-cert.g.../TA04-163A.html
Original release date: June 11, 2004
"...Publicly available exploit code exists for this vulnerability, and US-CERT has monitored incident reports that indicate that this vulnerability is being actively exploited..."

...Interesting read. That should get M$ off their duffs...then again, maybe not. :(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#7 nl255

nl255

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 12 June 2004 - 12:31 AM

This is why I avoid windows if at all possible, and at the very least make MSIE not work on anything except windows update. You can do this by telling MSIE to use a proxy that does not exist such as example.net, and then in the "do not use a proxy for these sites" box just add windowsupdate.com and microsoft.com. If possible, never use MSIE (except for updates) outside of a vmware, win4lin or virtual pc session. I only have one system running Windows, and that is a Windows XP gaming box, which connects to the internet through an old p150 running linux (I have dialup, so a cable/dsl router is out of the question).

#8 Swami

Swami

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 12 June 2004 - 07:55 AM

Microsoft is somewhere between the RIAA and the jerk that stole my car.


That's hilarious!

Microsoft only cares about your wallet and they prove it time & time again ... They already balked on paying their 5-million dollars for informaion leading to the arrest and conviction of the most recent virus coders, and i sure haven't been hearing the term "Microsoft Trusted Computing" that they shoved down our throats all last summer.

Fortunantly i dithced this horrible piece of code (IE) over 2 yrs ago, and never looked back. Like you Nl255 i use Windows primarily just for gaming (and after my last trojan thats all Windows is doing anymore) ... i am using Ark Linux (OS) and the Konqueror web browser.

Trusting Microsoft with your security is about as reliable as betting against the sun rising up in the sky.


Edited by Swami, 12 June 2004 - 08:16 AM.


#9 nl255

nl255

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 12 June 2004 - 05:39 PM

The sad thing is that what I-lookup is doing may not be illegal under US law. From what I have read, hacking/cracking is only illegal under US law if it causes more than $5000 in damages to a computer involved in interstate commerce (any online shopping counts as interstate commerce). That means that currently the best way to avoid these problems is to get rid of internet explorer (and Windows if possible, transgaming's winex can run many windows games without windows).

#10 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 12 June 2004 - 08:53 PM

I think Micro$oft has done more to promote the use of Linux than any other company.

Windows has it’s merits, like being able to correctly identify and configure to mainstream soundcards, but I am getting VERY TIRED of putting up with M$’s sh*tty security.
First, M$ releases overpriced products that act like they are still in beta. :thumbsdown:
Second, M$’s actions anger the public and other companies, thus promoting the writing of more viruses and Trojans. :thumbsdown:
Third, M$ releases ‘patches’ that eat up storage space and often break more than they fix. :thumbsdown:
I believe that my signature sums up my opinion of M$’s situation nicely. :grrr: :rant: :gah:

[/RANT MODE=OFF]

Edited by Trilobite, 12 June 2004 - 09:02 PM.


#11 Untouchable J

Untouchable J

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 13 June 2004 - 08:43 PM

Microsoft races to deter hackers
Microsoft, the world's largest software maker, is racing to solve a flaw in its internet browser that may allow hackers access to computer systems.


According to a spokesman quoted by the Business newspaper, "Microsoft is investigating reports of malicious attack exploiting vulnerabilities".

Problems arise when a user unknowingly clicks on a so-called malicious link, triggering a download of software.

Hackers then have full access to data and files on the computer.

For more information see here: BBC News

:thumbsup:

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 14 June 2004 - 06:37 AM

FYI...yep, another one:

- http://secunia.com/advisories/11830/
Secunia Advisory: SA11830
Release Date: 2004-06-11
"...Moderately critical
Impact: Security Bypass
Spoofing
Where: From remote...

Software: Microsoft Internet Explorer 6

Solution:
- Set the security level for all zones to "High" in Internet Explorer. This will impair functionality on many web sites.
- Don't follow links from untrusted sources, but input URLs manually in the address bar.
- Use another browser..."

>>> http://secunia.com/a...lated=1#related

Edited by apluswebmaster, 14 June 2004 - 06:38 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#13 ChaoGuy

ChaoGuy

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 14 June 2004 - 09:58 PM

I think Micro$oft has done more to promote the use of Linux than any other company.

Windows has it’s merits, like being able to correctly identify and configure to mainstream soundcards, but I am getting VERY TIRED of putting up with M$’s sh*tty security.
First, M$ releases overpriced products that act like they are still in beta. :thumbsdown:
Second, M$’s actions anger the public and other companies, thus promoting the writing of more viruses and Trojans. :thumbsdown:
Third, M$ releases ‘patches’ that eat up storage space and often break more than they fix. :thumbsdown:
I believe that my signature sums up my opinion of M$’s situation nicely. :grrr: :rant: :gah:

And it is likly that given the time that this patch is made, another big virus will strike and another hole in securety will be found on Winodws, but I know that totally swiching Browsers mean alot of changes in the Windows Explore, this includes many settings like the desktop images and Windows Update, but it just seems they have more securety problems just like with IE.

#14 Mowergun

Mowergun

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 June 2004 - 04:32 AM

More info on this ('just keeps on coming):

- http://www.computerw...316298&eid=-255
"...In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays executing anything immediately but instead uses another unknown vulnerability to run another file which in turn runs some script. This script is then used to run more script. And finally that script is used to run an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched. That exploit -- Adodb.stream -- has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user's hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions. By using the unknown exploits, code is installed within the help file window, all security efforts are bypassed, and the Adodb.stream exploit is then used to download files on the Internet direct to the hard disk. What this means in reality is that if you click on a malicious link in an email or on the Internet, a malicious user can very quickly have complete control of your PC. And there is no patch available...With the code already available on the Net, this is effectively a security nightmare...unless you're a Mozilla or Opera user that is."

Edit/Add: See this thread > http://www.spywarein...?showtopic=5969

Inasmuchas I never use Windows help, what if I were to create a new folder in C:\WINDOWS such as NOTHELP and then drag the Help folder into it. Then the pathway to all of the help files would be C:\WINDOWS\NOTHELP\Help. Since the help files would then be in a non standard location, would that effectively close this vulnerablility, or would the malicious link simply use windows find to locate the help files by name?

#15 Mowergun

Mowergun

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 June 2004 - 04:51 AM

It seems to me if Windows cannot find the help files when I click on Help, then maybe a malicious web link could not find them either, but I will always know where they are if I need them. ;)

Attached Images

  • NOTHELP.jpg


#16 Mowergun

Mowergun

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 June 2004 - 05:00 AM

START>RUN

Attached Images

  • iegetsrt.jpg


#17 brownda7

brownda7

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 June 2004 - 05:25 AM

I would dearly love if the official statement from microsoft says to rename the help file to "NOT HELP" to disable this latest threat...Ohhhhhhh the Irony!

Brownda :rofl:

#18 mellonhead

mellonhead

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 15 June 2004 - 08:22 AM

I read that the workaround is to disable (delete) the file association for the .chm extension.

#19 Mowergun

Mowergun

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 04:56 AM

I read that the workaround is to disable (delete) the file association for the .chm extension.

Hmm,

The default file association is to C:\WINDOWS\HH.exe. Perhaps an easier way to achieve the same results while at the same time making the changes more easily reversable would be to rename HH.exe to something like noHHelp.exe.

#20 mellonhead

mellonhead

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 16 June 2004 - 07:26 AM

For more info about the .chm file "zero-day" exploit read here:

http://netsecurity.a.../a/aa021504.htm

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 16 June 2004 - 04:01 PM

FYI...

Microsoft drags feet on Windows SP2 features
- http://www.theinquir.../?article=16606
16 June 2004
"...Officially there is ‘no information available’ on whether the features seen in SP2 versions of IE will be available for other operating systems. However, during the webcast a Microsoft individual admitted the company had no plans to make the IE enhancements available in XP SP2 available on Windows 2000, NT 4, Windows 98 or Windows Me (Millennium Edition). Microsoft was still evaluating the technical feasibility of providing the new IE enhancements for older Windows versions, he said. However, cynical analysts think that it is possible that Microsoft does not want to give the owners of its older software any reason to avoid upgrading. The idea is that by refusing to give them SP2 upgrades it will make such systems less secure and force an upgrade. Of course Microsoft would never, ever, think of doing something as low as that."

--------------------------------------------------------------

Will Microsoft Offer XP SP2 Security to Older Windows?
- http://www.eweek.com...a=129662,00.asp
June 15, 2004
"...Microsoft officials have said that the SP2 updates will be applied to the Windows XP Tablet PC Edition 2005 and Media Center Edition 2005 products due out this year. It also plans to make the applicable SP2 updates available for the Internet Explorer 6 code that is part of Windows Server 2003. (These updates will be part of Service Pack 1 for Windows Server 2003, due out later this year.) But Microsoft has other back-porting plans for the Springboard technologies, too, said testers who requested anonymity. Microsoft is "highly likely" to make the Springboard updates available for IE 6 for Windows 2000 Service Pack 5. And it has told some of its partners that it is considering strongly making the IE-specific Springboard updates available for Windows NT, Windows 98, Windows 98 Second Edition and Windows Millennium Edition, the testing sources said. However, Microsoft is dead-set against porting Springboard to "standalone" versions of IE: IE 6 Service Pack 2 and IE 5.5, the testing sources added."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 17 June 2004 - 08:01 AM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-06-16
Updated June 17th 2004 05:12 UTC

"...Continuing Report: Unpatched IE Vulnerabilities
This is ground that's been tread over and over again recently, but it bears repeating: We are continuing to receive reports of exploitation of unpatched vulnerabilities in Internet Explorer resulting in code execution and system compromise. Take whatever precautions you feel are necessary to avoid becoming a victim..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 21 June 2004 - 06:52 PM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-06-21
Updated June 21st 2004 23:34 UTC
"...ATTACKS AGAINST IE...
We continued to receive reports of attacks against IE browsers, this time loading an ActiveX control on the victim machine using the vulnerabilities described at
- http://www.securityfocus.com/bid/10472 and
- http://www.securityfocus.com/bid/10473 .
In a surprising twist, the ActiveX control actually downloaded a Certificate Revocation List into the infected system's browser, revoking over one hundred certs. We’re happy to report that anti-virus signatures were successful in detecting the malicious ActiveX control..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#24 Relizyz

Relizyz

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 11:17 PM

Yes i found the solution for cws.
-a: format c: /s

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 25 June 2004 - 10:53 PM

Now admitted as "Critical" by MS, as a result of today's problems on the web:

- http://www.microsoft...ct.mspx?pf=true
Updated June 25, 2004 4:55 P.M. Pacific Time

...we wait for the IE "patch", unless you are:

"...Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk...".

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 02 July 2004 - 09:40 AM

FYI...

- http://www.microsoft...ct.mspx?pf=true
Updated July 2, 2004 6:00 A.M. Pacific Time
"...On Friday, July 2, 2004, Microsoft is releasing a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address recent malicious attacks against Internet Explorer, also know as Download.Ject. Windows customers are encouraged to apply this configuration change immediately to help be protected from current Internet Explorer exploits. The update is currently available on the Download Center and will be made available later today on Windows Update...
Supported Operating Systems: Windows 2000, Windows NT, Windows Server 2003, Windows XP...

- How does the extended support for Windows Millennium Edition, Windows 98 Second Edition, and Windows 98 affect the release of this update for these operating systems?
Updates for these operating systems may not be available concurrently with the other updates provided as part of this bulletin, but they will be made available as soon as possible following this release. However, customers who feel comfortable creating these configuration changes manually can have the additional protection on their systems today by following the instructions in Knowledge Base Article 870669..."

- http://support.micro...spx?kbid=870669


("That's all, folks"...for now) :blink:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#27 NortyFiner

NortyFiner

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 July 2004 - 03:01 PM

Related news article...

http://www.msnbc.msn.com/id/5352495

According to this, the Download.Ject update doesn't actually patch anything, it just changes settings that were being exploited? Am I reading that right? :unsure:

Oh, and there is another critical update available for Windows as well, not related to this one...
Admin of the Official San Francisco 49ers Forum
Visit us at http://49ers.hosttown.com

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 02 July 2004 - 03:43 PM

FYI...

- http://www.siliconva.../printstory.jsp
Jul. 02, 2004
" Microsoft Corp. issued an interim security update Friday to protect users of its nearly ubiquitous Internet Explorer browsers from a new technique for spreading viruses. The update does not entirely fix the flaw that makes the spread possible, but it changes settings in Windows operating systems to disable hackers' ability to deliver malicious code with it...Friday's setting changes thwart any attack by prohibiting a Web application from writing files -- such as the virus code -- onto users' computers. Stephen Toulouse, a security program manager at Microsoft, said the company still was working on a comprehensive patch to fix vulnerabilities with Internet Explorer, but the settings change should protect users from the immediate threat..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 03 July 2004 - 05:51 AM

FYI...

Microsoft Plugs IE; Report Warns All Browsers At Risk
- http://www.techweb.c...WB20040702S0007
July 2, 2004 (3:34 p.m. EST) - By Gregg Keizer, TechWeb News
"As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers. The update, which Microsoft tagged as "Critical", isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC)...Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
- On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw. "It's not a code vulnerability," said Secunia's Kristensen, "but a design flaw." The problem stems from how browsers handle frames. "Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone," said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank. "In these times of phishing attacks and other scams, this is a problem," said Kristensen. "You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers." Internet Explorer users can stymie such spoofing attacks by disabling the "Navigate sub-frames across different domains" setting under Tools/Internet Options/Security. :alarm:
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem."
>>> http://secunia.com/m...erability_test/

:(

- http://secunia.com/advisories/11978/
2004-07-02
"...Solution:
Do not browse untrusted sites while browsing trusted sites..." :alarm:

Edited by apluswebmaster, 03 July 2004 - 10:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#30 Mowergun

Mowergun

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 July 2004 - 12:34 PM

Hi,

I am assuming that any legitimate sub-frame on a secure page like an on-line banking page would likely come from the same domain, so disabling "Navigate sub frames across different domains" should not ordinarily break the functionality of the on-line banking page. Am I OK to make that assumption?

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 03 July 2004 - 12:46 PM

To clarify, it appears keywords are "...across different domains".

IE is -not- the only browser involved. In fact, the -shorter- list (per the Secunia advisory) are those "...not affected" (2). Opera, Netscape, Safari, and Konqueror are also on the list of "...vulnerability has been confirmed" browsers >>> http://secunia.com/advisories/11978/ ...

- http://www.techweb.c...WB20040702S0007 "...'In these times of phishing attacks and other scams, this is a problem'...Internet Explorer users can stymie such spoofing attacks by disabling the 'Navigate sub-frames across different domains' setting under Tools/Internet Options/Security..."

Just an option available for security reasons. Although it may break some functionality, it is also a way to "stymie such spoofing attacks". No "perfect world" here.

Edited by apluswebmaster, 05 July 2004 - 08:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 05 July 2004 - 10:40 PM

FYI... Issues...we got 'em:

> Issue #1: Internet Explorer ADODB.Stream...
...may not have been "fixed" (workaround) with:
- http://support.micro...spx?kbid=870669
>> See:
- http://www.theregist.../07/05/ie_vuln/ ...and http://seclists.org/...4/Jul/0177.html

> Issue #2: Multiple Browsers Frame Injection Vuln
- http://secunia.com/advisories/11978/ "...Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser. On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw. 'It's not a code vulnerability,' said Secunia's Kristensen, 'but a design flaw.'..."
>> Workaround for IE:
"...Internet Explorer users can stymie such spoofing attacks by disabling the 'Navigate sub-frames across different domains' setting under Tools/Internet Options/Security..."

Some fun, eh?

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#33 Hi-Lo Driver

Hi-Lo Driver

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 July 2004 - 03:20 PM

I have been reading lots of information about the flaws of IE-6, and wonder how a major software company like Microsoft could allow these vulnerabilities get so out-of-control. Is it because Bill Gates is so rich and powerful, in the computer software world, that he now don't give a damn any more about the quality of his products? Or could it be that he has screwed his former employee(s) royally that they are getting back at him by attacking him where it hurts--his wallet, by messing up IE-6? I may be way off base here by saying that since I'm hearing that other browsers under assault. I choose to stick with IE-6, and just do the best I can by modifying my security as best as I can. I have ZoneAlarm, Spybot, Ad-aware, SpywareBlaster, SpywareGuard, and WinPatrol. In my restricted sites security settings, I have all disable as possible. I have third party cookies blocked. What more can I do? It's a war.

Zac

#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 08 July 2004 - 03:46 PM

Zac,

'Answers to your questions are: "Maybe, Probably not, and I dunno".

I do know one thing though: "What goes around comes around" ...and that is also true for corporate giants. 'Wish I had all the answers, but then, I'd have alot of money, and I wouldn't care - but I don't so I do. Are we clear on that, now?

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 09 July 2004 - 07:57 PM

'Thought we forgot about this, huh? Nah.

'Just a reminder..."Black Tuesday" is just 4 days away.


Some fun, eh?

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 12 July 2004 - 02:12 PM

FYI...

IE's Market Share Drops, Security Gaffes To Blame
- http://www.techweb.c...WB20040712S0003
July 12, 2004
"...Internet Explorer has had more than 95 percent of the browser share for the past two years, and until early June of 2004, had owned about 95.7 percent of the market. Within the last month, however IE's share of the U.S. browser business fell from 95.48 on June 4 to 94.16 on July 9. Netscape and Mozilla, meanwhile, saw their share climb from 3.54 percent to 4.59. (WebSideStory tracks Netscape and Mozilla as a single unit, and in its count also includes Mozilla's stand-alone Firefox.) The 'All Others' category, which is primarily Apple's Safari browser with a bit of Opera thrown in, also got a boost, rising from 0.97 percent in June to 1.24 percent in July...Some analysts estimate the U.S. Internet population at around 200 million. A 1.32 percent change in browsers, then, translates into 2.6 million dropping IE..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#37 NortyFiner

NortyFiner

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 13 July 2004 - 01:34 PM

Five new critical updates today, not sure if they relate to any of this...
Admin of the Official San Francisco 49ers Forum
Visit us at http://49ers.hosttown.com

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 13 July 2004 - 01:48 PM

FYI...

MS Security Bulletin Summary - July 2004
- http://www.microsoft...n/ms04-jul.mspx
"...Critical (2), Important (4), Moderate (1)..."

(...Arrgghh!...) :ugh:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 14 July 2004 - 06:23 PM

FYI...

RIP Internet Explorer?
- http://www.techworld...cfm?NewsID=1910
14 July 2004 By Kieren McCarthy, Techworld
"...The situation looks unlikely to change significantly until, ironically, Microsoft releases the next version of Windows - Longhorn. The US authorities are watching its development closely and may insist on Microsoft not tying its browser software in so closely with the OS. Once that happens, the door opens a little to other browsers. And combined with the greater freedom now given to PC vendors because Microsoft will no longer be able to dictate what else appears on a machine with Windows, it means that consumer PCs may come pre-loaded with a different browser to Explorer, or at least a choice of browsers. When - if - that happens then finally, finally we may have a normal competitive browser market where the software competes on quality and price (browsers won't be free for long in a competitive market). And then we can look forward to a slew of security alerts for browsers other than Explorer. RIP Explorer? Nope, it's here to stay all right."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 14 July 2004 - 11:27 PM

FYI...

- http://www.securityp...bleArticle=true
"...What's missing from this month's security fixes...is a top-to-bottom patch for several bugs in Microsoft's Internet Explorer browser. Vulnerabilities in IE have been exploited by several prominent attacks of recent weeks, including one run by Russian hackers that dropped Trojan horses and keyloggers on systems. On July 2, Microsoft released a temporary fix, but it has yet to produce a permanent patch. Then, Microsoft said it was working on a series of updates to IE in "coming week" company executives last week wouldn't commit to a release date, or even if it would roll out IE fixes in the monthly patch cycle. From the content of the security bulletins posted Tuesday, Redmond's passed...IE fixes are AWOL..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 16 July 2004 - 01:13 AM

FYI...more added to "the list":

Secunia Advisory: SA12048 - Release Date: 2004-07-13
- http://secunia.com/advisories/12048/
"Extremely critical
> Impact: Security Bypass, Spoofing, System access
> Where: From remote...
Solution:
> Disable Active Scripting.
> Use another product..."

...the list:
- http://secunia.com/product/11/
"...Secunia currently has 55 Secunia advisories affecting Microsoft Internet Explorer 6..."

(Are we numb yet? :blink: )

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 25 July 2004 - 10:08 PM

FYI...

New Phishing Technique Works on Multiple Browsers
- http://www.eweek.com...a=131696,00.asp
July 19, 2004
"A British Web developer has revealed a new form of a cross-site scripting, or XSS, attack that facilitates phishing activities. The attack...allows an attacker to execute scripts in the context of another Web site. Testing by eWEEK.com indicates that the attack works on both Internet Explorer on Windows XP with SP2 (Release Candidate 2) and on the Mozilla Firefox 0.9.1 browser...The main, obvious effect of the attack is that the page appears to be running in the victim site, but is incorporating elements from the attacker site. An attacker could therefore use the technique to persuade a user to provide personal information...Cross-site scripting attacks have been a hot item recently in security circles, but usually as a way to run scripts in the local machine context for a browser user and attack that computer. Using it against a Web site to spoof that site is new. Netcraft adds: "Although cross-site scripting has been a well known technique for over four years, it is an easy mistake for programmers to make, and can be an awkward one to test thoroughly."..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 30 July 2004 - 01:43 PM

FYI...

Microsoft To Patch IE Next Week
- http://www.techweb.c...WB20040729S0004
July 29, 2004 - By Gregg Keizer, TechWeb News
"Microsoft executives said that a comprehensive patch for Internet Explorer will be released next week, finally plugging the hole that hackers exploited in a sneak attack during June..."We're targeting the release within the next week," said Dean Hachamovitch Wednesday in the security-oriented hosted monthly by Mike Nash, the head of Microsoft's security efforts. "We're doing our final checks right now." The upcoming patch will be released "out of cycle," said Hachamovitch, who oversees development for IE. That means it will appear before Microsoft's next regular-scheduled patch day. Microsoft rarely departs from the second-Tuesday-of-the-month schedule, an indication of how critical the company sees the fix. The next scheduled patch day is August 10. IE's patch, which will apply to IE 5.01, 5.5, and 6.0, was long in development and testing, said Hachamovitch, because "the core vulnerability was complicated." He also noted that extensive testing -- both on other applications that might be affected by the patch and the various versions of IE and Windows -- meant the patch took longer to finalize..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#44 PhalPhoto

PhalPhoto

    Currently experimenting with erratic service

  • Helper Trainee
  • PipPipPip
  • 107 posts

Posted 30 July 2004 - 02:02 PM

The word coming down through the Army information security community is that:

the core vulnerability was complicated


it was complicated because there are lots of legit apps that are written that exploit/workaround this vuln as well. From what I am hearing, the new patch will crash those apps. It's pretty funny when your code is so buggy that others are writing work-arounds for it and then you patch it and crash them, huh?

#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 30 July 2004 - 02:19 PM

It seems they didn't want to wait! Thanks to the ISC (of course) for the tip! ( http://isc.sans.org/...date=2004-07-30 )

- http://www.microsoft...n/ms04-025.mspx
Microsoft Security Bulletin MS04-025
Cumulative Security Update for Internet Explorer (867801)
Issued: July 30, 2004
Version: 1.0
- Summary:
- Who should read this document: Customers who use Microsoft® Internet Explorer
- Impact of Vulnerability: Remote Code Execution
- Maximum Severity Rating: Critical
- Recommendation: Customers should apply the update immediately.
- Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS04-004, which is itself a cumulative update.
- Caveats: This update does not include hotfixes for Internet Explorer provided since the release of MS04-004. Customers who have received hotfixes from Microsoft or their support providers since the release of MS04-004 should review the FAQ section for this update to determine how this update might impact their operating systems..."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#46 LB99338

LB99338

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 01:58 AM

Microsoft Security Bulletin MS04-025
Cumulative Security Update for Internet Explorer (867801)
Issued: July 30, 2004


I'm waiting a few days to install this update. I'd be interested in hearing if anyone here has problems with the update, or also that things run ok with this patch. The caveats have me concerned, since it seems some patches will be removed. Will the next Windows Update visit detect that, and offer me the patches again?

Waiting for some reassurance......LOL!

#47 hawksrus

hawksrus

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 31 July 2004 - 04:14 AM

Hi LB99338

I updated my WinME fully updated system tonight.

So far no problems at all. In fact, I am replying to this message with ie6 (now do most of my suring with firefox). :bounce:

Here is Belarc details of my system:

Computer Profile Summary
Computer Name: Computer (in WORKGROUP)
Profile Date: Saturday, 31 July 2004 7:03:56 PM
Advisor Version: 6.1
Windows Logon: .

Click here for Belarc's PC Management products, for large and small companies.

Operating System System Model
Windows Millennium Edition (build 4.90.3000) Gateway
System Serial Number: 0001932163
Chassis Serial Number: 0001932163
Processor a Main Circuit Board b
933 megahertz Intel Pentium III
32 kilobyte primary memory cache
256 kilobyte secondary memory cache Board: Intel Corporation D815EEA AAA19243-406
Serial Number: ABEA11714555
Bus Clock: 133 megahertz
BIOS: Intel Corp. EA81510A.15A.0010.P08.0104052020 04/05/2001
Drives Memory Modules c,d
10.25 Gigabytes Usable Hard Drive Capacity
5.76 Gigabytes Hard Drive Free Space

SONY CD-RW CRX100E [CD-ROM drive]
Generic floppy disk drive (3.5")

QUANTUM FIREBALLlct20 10 [Hard drive] (10.26 GB) -- drive 0, s/n 051111059796, rev APL.0900, SMART Status: Healthy 320 Megabytes Installed Memory

Slot 'DIMM1' has 256 MB
Slot 'DIMM2' has 64 MB
Slot 'DIMM3' is Empty
Local Drive Volumes


c: (on drive 0) 10.25 GB 5.76 GB free
Network Drives


Users Printers
No details available

EPSON Stylus CX5300 on EPUSB1:
Controllers Display
Standard Floppy Disk Controller
Intel® 82801BA Ultra ATA Storage Controller
Primary IDE controller (dual fifo)
Secondary IDE controller (dual fifo) NVIDIA GeForce2 MX (Gateway - English) [Display adapter]
Gateway EV500 [Monitor] (13.8"vis, April 2001)
Bus Adapters Multimedia
Intel® 82801BA/BAM USB Universal Host Controller 1
Intel® 82801BA/BAM USB Universal Host Controller 2 Creative Gameport Device
Creative SB AudioPCI (WDM)
Wave Device for Voice Modem
Communications Other Devices
56K PCI Voice Modem SF-1156IV+ R9A PCI Modem Enumerator
Standard 101/102-Key or Microsoft Natural Keyboard
Microsoft PS/2 Port Mouse
USB Root Hub
USB Root Hub
Virus Protection
No AntiVirus details available

Installed Microsoft Hotfixes [Back to Top]

DataAccess
KB870669 (details...)
Q329414-25 on 13-03-04 (details...)

Internet Explorer
Q823353 (details...)
Q831167 (details...)
Q832894 (details...)
Q837009 (details...)
Q867801 (details...)
SP1 (SP1)

MSXML4
Q317244 (details...)

Windows Media Player
WM308567 (details...)

Windows Media Player (continued)
WM828026 (details...)

WinME
UPD271434 (details...)
UPD273727 (details...)
UPD273991 (details...)
UPD290700 (details...)
UPD314757 (details...)
UPD323172 (details...)
UPD323255 (details...)
UPD329048 (details...)
UPD329115 (details...)
UPD811630 (details...)
UPD812709 (details...)
UPD825119 (details...)
UPD840315 (details...)

Note ie has Q867801 update.

I believe thus far the update is ok but I agree with your caution. :scratchhead:

Best wishes :wave: ,
Tony

"Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man."

Mohandas K. Gandhi
Oct 2, 1869 to Jan 30, 1948

#48 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 02 August 2004 - 06:15 AM

FYI...

Update to MS04-025 for XP users
- http://isc.sans.org/...date=2004-08-01
Updated August 2nd 2004 01:25 UTC
"For all folks using Windows XP, it is advised that you do another Windows Update to ensure that your patches have been correctly updated.
Microsoft stated the following:
'Subsequent to the release of this security bulletin, Microsoft was made aware that the update provided for Windows XP customers running the new version of Windows Update, Windows Update Version 5, did not contain the final release code for the vulnerabilities addressed in the security bulletin. Microsoft has corrected the update and is re-releasing this bulletin to advise of the availability of a revised update available to Windows Update Version 5 customers. Customers who are utilizing Windows Update Version 4, the vast majority of customers, are not affected by this revision'..."
- http://www.microsoft...n/ms04-025.mspx
Updated: August 1, 2004
Version: 2.0

(So much for running MS "Beta"!)

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#49 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,449 posts

Posted 02 August 2004 - 06:15 AM

Dup...(stutter on dial-up. Apologies...)

Edited by apluswebmaster, 02 August 2004 - 06:18 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button