Does anyone know much about three apparent new flaws that have been
discovered in IE? This article, http://www.vnunet.com/news/1155868,
actually advises that you change your browser to something other than IE (as
do most of you guys, I suppose).



They've also made some mileage by pointing out that the new flaws are "Zero
Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
is now on to see if they can be exploited before they can be patched,
although the LSASS patch was available for nearly 3 weeks before Sasser
started its World Tour!!



Further reading seems to suggest that the flaw only impacts users of IE5.0,
5.1 and 5.5, because the flaw has apparently already been addressed in IE6
SP1.



Anyway, can anyone throw a bit more light on this?





Jeff

On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
wrote:

>Does anyone know much about three apparent new flaws that have been
>discovered in IE? This article, http://www.vnunet.com/news/1155868,
>actually advises that you change your browser to something other than IE (as
>do most of you guys, I suppose).
>
>They've also made some mileage by pointing out that the new flaws are "Zero
>Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
>is now on to see if they can be exploited before they can be patched,
>although the LSASS patch was available for nearly 3 weeks before Sasser
>started its World Tour!!
>
>Further reading seems to suggest that the flaw only impacts users of IE5.0,
>5.1 and 5.5, because the flaw has apparently already been addressed in IE6
>SP1.

What "further reading"? Specify your references.


Art
http://www.epix.net/~artnpeg

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
> wrote:
>
> >Does anyone know much about three apparent new flaws that have been
> >discovered in IE? This article, http://www.vnunet.com/news/1155868,
> >actually advises that you change your browser to something other than IE
(as
> >do most of you guys, I suppose).
> >
> >They've also made some mileage by pointing out that the new flaws are
"Zero
> >Day" flaws, meaning that the vulnerabilities have no patch as yet - the
race
> >is now on to see if they can be exploited before they can be patched,
> >although the LSASS patch was available for nearly 3 weeks before Sasser
> >started its World Tour!!
> >
> >Further reading seems to suggest that the flaw only impacts users of
IE5.0,
> >5.1 and 5.5, because the flaw has apparently already been addressed in
IE6
> >SP1.
>
> What "further reading"? Specify your references.
>
>
> Art
> http://www.epix.net/~artnpeg

Hi Art

Click the link that I originally included, and there are subsequent links to
another couple of related stories - one of Microsoft denying the flaws,
followed by one of Microsoft admitting the flaws. They are directly below
the article under the heading RELATED ARTICLES. It appears that the article
where Microsoft admits to the flaws is actually from February


Jeff

On Mon, 14 Jun 2004 22:30:51 GMT, "John Smith" <(E-Mail Removed)>
wrote:

><(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
>> wrote:
>>
>> >Does anyone know much about three apparent new flaws that have been
>> >discovered in IE? This article, http://www.vnunet.com/news/1155868,
>> >actually advises that you change your browser to something other than IE
>(as
>> >do most of you guys, I suppose).
>> >
>> >They've also made some mileage by pointing out that the new flaws are
>"Zero
>> >Day" flaws, meaning that the vulnerabilities have no patch as yet - the
>race
>> >is now on to see if they can be exploited before they can be patched,
>> >although the LSASS patch was available for nearly 3 weeks before Sasser
>> >started its World Tour!!
>> >
>> >Further reading seems to suggest that the flaw only impacts users of
>IE5.0,
>> >5.1 and 5.5, because the flaw has apparently already been addressed in
>IE6
>> >SP1.
>>
>> What "further reading"? Specify your references.
>
>Hi Art
>
>Click the link that I originally included, and there are subsequent links to
>another couple of related stories - one of Microsoft denying the flaws,
>followed by one of Microsoft admitting the flaws. They are directly below
>the article under the heading RELATED ARTICLES. It appears that the article
>where Microsoft admits to the flaws is actually from February

Indeed. Both articles are old:

http://www.vnunet.com/news/1152821
http://www.vnunet.com/news/1152478

and seem to be linked just for the sake of listing past articles on
the general subject of IE vulnerabilities. There's no suggestion at
all in the June article that _any_ version of IE is excluded, nor have
I found any suggestion anywhere that IE6 is excluded.


Art
http://www.epix.net/~artnpeg

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 14 Jun 2004 22:30:51 GMT, "John Smith" <(E-Mail Removed)>
> wrote:
>
> ><(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
> >> wrote:
> >>
> >> >Does anyone know much about three apparent new flaws that have been
> >> >discovered in IE? This article, http://www.vnunet.com/news/1155868,
> >> >actually advises that you change your browser to something other than
IE
> >(as
> >> >do most of you guys, I suppose).
> >> >
> >> >They've also made some mileage by pointing out that the new flaws are
> >"Zero
> >> >Day" flaws, meaning that the vulnerabilities have no patch as yet -
the
> >race
> >> >is now on to see if they can be exploited before they can be patched,
> >> >although the LSASS patch was available for nearly 3 weeks before
Sasser
> >> >started its World Tour!!
> >> >
> >> >Further reading seems to suggest that the flaw only impacts users of
> >IE5.0,
> >> >5.1 and 5.5, because the flaw has apparently already been addressed in
> >IE6
> >> >SP1.
> >>
> >> What "further reading"? Specify your references.
> >
> >Hi Art
> >
> >Click the link that I originally included, and there are subsequent links
to
> >another couple of related stories - one of Microsoft denying the flaws,
> >followed by one of Microsoft admitting the flaws. They are directly
below
> >the article under the heading RELATED ARTICLES. It appears that the
article
> >where Microsoft admits to the flaws is actually from February
>
> Indeed. Both articles are old:
>
> http://www.vnunet.com/news/1152821
> http://www.vnunet.com/news/1152478
>
> and seem to be linked just for the sake of listing past articles on
> the general subject of IE vulnerabilities. There's no suggestion at
> all in the June article that _any_ version of IE is excluded, nor have
> I found any suggestion anywhere that IE6 is excluded.
>
>
> Art
> http://www.epix.net/~artnpeg

Admittedly, Art, I didn't notice the dates on the other articles until after
you asked where the further reading came from. Anyway, the original article
seems to indicate that we may be facing something soon, or maybe it's not as
bad as implied.

I'm one of these strange creatures who actually likes Microsoft stuff.
Every software known to mankind has some sort of defect, possibly security
related, but Microsoft is the general target because of the sheer volume of
Microsoft products in the wild. Someone could start hitting Lotus
SmartSuite 97 or something equally as appalling, but what would be the point
when you consider that bugger all people use them. I will concede that
there is an inordinately large number of security issues with Microsoft
products, and there appears to have been some careless programming and
testing, but you also must concede that without the arsewipes who are
breaching security, the products would be pretty damn good. Just my 2 cents
worth in support of Bill...

Jeff

"John Smith" <(E-Mail Removed)> wrote in message
news:vGpzc.27532$(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
> > wrote:
> >
> > >Does anyone know much about three apparent new flaws that have been
> > >discovered in IE? This article, http://www.vnunet.com/news/1155868,
> > >actually advises that you change your browser to something other than
IE
> (as
> > >do most of you guys, I suppose).
> > >
> > >They've also made some mileage by pointing out that the new flaws are
> "Zero
> > >Day" flaws, meaning that the vulnerabilities have no patch as yet - the
> race
> > >is now on to see if they can be exploited before they can be patched,
> > >although the LSASS patch was available for nearly 3 weeks before Sasser
> > >started its World Tour!!
> > >
> > >Further reading seems to suggest that the flaw only impacts users of
> IE5.0,
> > >5.1 and 5.5, because the flaw has apparently already been addressed in
> IE6
> > >SP1.
> >
> > What "further reading"? Specify your references.
> >
> >
> > Art
> > http://www.epix.net/~artnpeg
>
> Hi Art
>
> Click the link that I originally included, and there are subsequent links
to
> another couple of related stories - one of Microsoft denying the flaws,
> followed by one of Microsoft admitting the flaws. They are directly below
> the article under the heading RELATED ARTICLES. It appears that the
article
> where Microsoft admits to the flaws is actually from February
>
>
> Jeff
>
I'm not so sure about that, Jeff!
I think the February article is not related as it refers to earlier known
and fixed flaws made public in MS's stolen source code fragment.
In any case, until we hear more about this, I'm staying well and truly
behind my firewall!
Martin

On Tue, 15 Jun 2004 00:03:57 GMT, "John Smith" <(E-Mail Removed)>
wrote:

>Admittedly, Art, I didn't notice the dates on the other articles until after
>you asked where the further reading came from. Anyway, the original article
>seems to indicate that we may be facing something soon, or maybe it's not as
>bad as implied.
>
>I'm one of these strange creatures who actually likes Microsoft stuff.
>Every software known to mankind has some sort of defect, possibly security
>related, but Microsoft is the general target because of the sheer volume of
>Microsoft products in the wild. Someone could start hitting Lotus
>SmartSuite 97 or something equally as appalling, but what would be the point
>when you consider that bugger all people use them. I will concede that
>there is an inordinately large number of security issues with Microsoft
>products, and there appears to have been some careless programming and
>testing, but you also must concede that without the arsewipes who are
>breaching security, the products would be pretty damn good. Just my 2 cents
>worth in support of Bill...

The question though, is what can users do to improve their security
short of abandoning Windows? Abandoning the use of IE and OE in favor
of sane internet apps goes a long way to improve security ... and
without having to add a whole bunch of additional IE "protection"
software.


Art
http://www.epix.net/~artnpeg

On Tue, 15 Jun 2004 10:18:51 +1000, "MJD" <(E-Mail Removed)> wrote:

>In any case, until we hear more about this, I'm staying well and truly
>behind my firewall!

A firewall does nothing to protect you from browser exploits.


Art
http://www.epix.net/~artnpeg

On Mon, 14 Jun 2004 21:43:10 GMT, "John Smith" <(E-Mail Removed)>
wrote:

>Does anyone know much about three apparent new flaws that have been
>discovered in IE? This article, http://www.vnunet.com/news/1155868,
>actually advises that you change your browser to something other than IE (as
>do most of you guys, I suppose).
>
>
>
>They've also made some mileage by pointing out that the new flaws are "Zero
>Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
>is now on to see if they can be exploited before they can be patched,
>although the LSASS patch was available for nearly 3 weeks before Sasser
>started its World Tour!!
>
>
>
>Further reading seems to suggest that the flaw only impacts users of IE5.0,
>5.1 and 5.5, because the flaw has apparently already been addressed in IE6
>SP1.
>
>
>
>Anyway, can anyone throw a bit more light on this?
>
>
>
>
>
>Jeff
>
It was discovered by the Belgian security company Ubizen,..
http://www.ubizen.be/
Now I read that Microsoft is working on a patch to fix 3 IE flaws...

It is true that there was no patch and two flaws were really
dangerous,.. dangerous enough to have Ubizen propose users to
temporarelly use an alternative browser...

Ubizen wrote:
<dixit>
Ubizen's security intelligence lab (SIL) is warning its customers
against three new vulnerabilities that have been discovered in the
latest fully patched version of Microsoft Internet Explorer (IE). Two
of the vulnerabilities mean that users that connect to the internet
using IE are at significant risk of a hacker (or virus) taking
complete control of their PC. The third vulnerability enables a hacker
to launch a phishing attack, meaning hackers can pick up duped users'
confidential details. No Microsoft patch is currently available to
protect against this threat, meaning internet users need to change
their internet browser immediately or change their IE security
settings.

"Fortunately the researcher who discovered the malicious code to
exploit the first two vulnerabilities, did not distribute the attack
across the internet. However, experienced hackers are likely to have
already discovered the code," said Dirk Van Droogenbroeck researcher
in Ubizen's SIL. "As there is no fix available, the hacker community
will seek to massively exploit these vulnerabilities.

To reduce the risk of attack, businesses need to take the following
actions:
Ideally businesses should use an alternative web browser, such as
Netscape, Mozilla, Opera
If businesses choose to continue using Microsoft's IE Web browser,
they need to adjust the security settings to disable 'Active
scripting'
Set the security settings on IE Explorer as 'High' for all zones and
don't follow links from untrustworthy sources, ensure URLs are
manually entered in the address bar
"The exploits received by the researcher were created before Microsoft
was aware of the vulnerabilities - known in the security industry as
'zero-day exploits'. These exploits pose a significant security threat
to businesses. Whilst the researcher chose not to distribute a
'zero-day attack' when he discovered the code to the unknown
vulnerabilities, he did announce their existence to the world and gave
a full description of how the exploits work," continued Van
Droogenbroeck.
</dixit>



--
www.nondisputandum.com
Freeware to Protect & Clean your PC
Freeware Office tools & Webbuilding
+ The Internet Addiction Test