3 new IE flaws??

[John Smith]

Does anyone know much about three apparent new flaws that have been
discovered in IE? This article, http://www.vnunet.com/news/1155868,
actually advises that you change your browser to something other than IE (as
do most of you guys, I suppose).



They've also made some mileage by pointing out that the new flaws are "Zero
Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
is now on to see if they can be exploited before they can be patched,
although the LSASS patch was available for nearly 3 weeks before Sasser
started its World Tour!!



Further reading seems to suggest that the flaw only impacts users of IE5.0,
5.1 and 5.5, because the flaw has apparently already been addressed in IE6
SP1.



Anyway, can anyone throw a bit more light on this?





Jeff

 

[null]

Does anyone know much about three apparent new flaws that have been
discovered in IE? This article, http://www.vnunet.com/news/1155868,
actually advises that you change your browser to something other than IE (as
do most of you guys, I suppose).

They've also made some mileage by pointing out that the new flaws are "Zero
Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
is now on to see if they can be exploited before they can be patched,
although the LSASS patch was available for nearly 3 weeks before Sasser
started its World Tour!!

Further reading seems to suggest that the flaw only impacts users of IE5.0,
5.1 and 5.5, because the flaw has apparently already been addressed in IE6
SP1.

What "further reading"? Specify your references.


Art
http://www.epix.net/~artnpeg

 

[John Smith]

What "further reading"? Specify your references.


Art
http://www.epix.net/~artnpeg

Hi Art

Click the link that I originally included, and there are subsequent links to
another couple of related stories - one of Microsoft denying the flaws,
followed by one of Microsoft admitting the flaws. They are directly below
the article under the heading RELATED ARTICLES. It appears that the article
where Microsoft admits to the flaws is actually from February


Jeff

 

[null]

Hi Art

Click the link that I originally included, and there are subsequent links to
another couple of related stories - one of Microsoft denying the flaws,
followed by one of Microsoft admitting the flaws. They are directly below
the article under the heading RELATED ARTICLES. It appears that the article
where Microsoft admits to the flaws is actually from February

Indeed. Both articles are old:

http://www.vnunet.com/news/1152821
http://www.vnunet.com/news/1152478

and seem to be linked just for the sake of listing past articles on
the general subject of IE vulnerabilities. There's no suggestion at
all in the June article that _any_ version of IE is excluded, nor have
I found any suggestion anywhere that IE6 is excluded.


Art
http://www.epix.net/~artnpeg

 

[John Smith]

Indeed. Both articles are old:

http://www.vnunet.com/news/1152821
http://www.vnunet.com/news/1152478

and seem to be linked just for the sake of listing past articles on
the general subject of IE vulnerabilities. There's no suggestion at
all in the June article that _any_ version of IE is excluded, nor have
I found any suggestion anywhere that IE6 is excluded.


Art
http://www.epix.net/~artnpeg

Admittedly, Art, I didn't notice the dates on the other articles until after
you asked where the further reading came from. Anyway, the original article
seems to indicate that we may be facing something soon, or maybe it's not as
bad as implied.

I'm one of these strange creatures who actually likes Microsoft stuff.
Every software known to mankind has some sort of defect, possibly security
related, but Microsoft is the general target because of the sheer volume of
Microsoft products in the wild. Someone could start hitting Lotus
SmartSuite 97 or something equally as appalling, but what would be the point
when you consider that bugger all people use them. I will concede that
there is an inordinately large number of security issues with Microsoft
products, and there appears to have been some careless programming and
testing, but you also must concede that without the arsewipes who are
breaching security, the products would be pretty damn good. Just my 2 cents
worth in support of Bill...

Jeff

 

[MJD]

IE

Hi Art

Click the link that I originally included, and there are subsequent links to
another couple of related stories - one of Microsoft denying the flaws,
followed by one of Microsoft admitting the flaws. They are directly below
the article under the heading RELATED ARTICLES. It appears that the article
where Microsoft admits to the flaws is actually from February


Jeff

I'm not so sure about that, Jeff!
I think the February article is not related as it refers to earlier known
and fixed flaws made public in MS's stolen source code fragment.
In any case, until we hear more about this, I'm staying well and truly
behind my firewall!
Martin

 

[null]

Admittedly, Art, I didn't notice the dates on the other articles until after
you asked where the further reading came from. Anyway, the original article
seems to indicate that we may be facing something soon, or maybe it's not as
bad as implied.

I'm one of these strange creatures who actually likes Microsoft stuff.
Every software known to mankind has some sort of defect, possibly security
related, but Microsoft is the general target because of the sheer volume of
Microsoft products in the wild. Someone could start hitting Lotus
SmartSuite 97 or something equally as appalling, but what would be the point
when you consider that bugger all people use them. I will concede that
there is an inordinately large number of security issues with Microsoft
products, and there appears to have been some careless programming and
testing, but you also must concede that without the arsewipes who are
breaching security, the products would be pretty damn good. Just my 2 cents
worth in support of Bill...

The question though, is what can users do to improve their security
short of abandoning Windows? Abandoning the use of IE and OE in favor
of sane internet apps goes a long way to improve security ... and
without having to add a whole bunch of additional IE "protection"
software.


Art
http://www.epix.net/~artnpeg

 

[null]

In any case, until we hear more about this, I'm staying well and truly
behind my firewall!

A firewall does nothing to protect you from browser exploits.


Art
http://www.epix.net/~artnpeg

 

[NonDisputandum.com]

Does anyone know much about three apparent new flaws that have been
discovered in IE? This article, http://www.vnunet.com/news/1155868,
actually advises that you change your browser to something other than IE (as
do most of you guys, I suppose).



They've also made some mileage by pointing out that the new flaws are "Zero
Day" flaws, meaning that the vulnerabilities have no patch as yet - the race
is now on to see if they can be exploited before they can be patched,
although the LSASS patch was available for nearly 3 weeks before Sasser
started its World Tour!!



Further reading seems to suggest that the flaw only impacts users of IE5.0,
5.1 and 5.5, because the flaw has apparently already been addressed in IE6
SP1.



Anyway, can anyone throw a bit more light on this?





Jeff

It was discovered by the Belgian security company Ubizen,..
http://www.ubizen.be/
Now I read that Microsoft is working on a patch to fix 3 IE flaws...

It is true that there was no patch and two flaws were really
dangerous,.. dangerous enough to have Ubizen propose users to
temporarelly use an alternative browser...

Ubizen wrote:
<dixit>
Ubizen's security intelligence lab (SIL) is warning its customers
against three new vulnerabilities that have been discovered in the
latest fully patched version of Microsoft Internet Explorer (IE). Two
of the vulnerabilities mean that users that connect to the internet
using IE are at significant risk of a hacker (or virus) taking
complete control of their PC. The third vulnerability enables a hacker
to launch a phishing attack, meaning hackers can pick up duped users'
confidential details. No Microsoft patch is currently available to
protect against this threat, meaning internet users need to change
their internet browser immediately or change their IE security
settings.

"Fortunately the researcher who discovered the malicious code to
exploit the first two vulnerabilities, did not distribute the attack
across the internet. However, experienced hackers are likely to have
already discovered the code," said Dirk Van Droogenbroeck researcher
in Ubizen's SIL. "As there is no fix available, the hacker community
will seek to massively exploit these vulnerabilities.

To reduce the risk of attack, businesses need to take the following
actions:
Ideally businesses should use an alternative web browser, such as
Netscape, Mozilla, Opera
If businesses choose to continue using Microsoft's IE Web browser,
they need to adjust the security settings to disable 'Active
scripting'
Set the security settings on IE Explorer as 'High' for all zones and
don't follow links from untrustworthy sources, ensure URLs are
manually entered in the address bar
"The exploits received by the researcher were created before Microsoft
was aware of the vulnerabilities - known in the security industry as
'zero-day exploits'. These exploits pose a significant security threat
to businesses. Whilst the researcher chose not to distribute a
'zero-day attack' when he discovered the code to the unknown
vulnerabilities, he did announce their existence to the world and gave
a full description of how the exploits work," continued Van
Droogenbroeck.
</dixit>