Feb 20, 2008
Secunia has released a “highly critical” vulnerability for various versions of Internet Explorer.
Versions Affected?
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 6.x
- Microsoft Internet Explorer 7.x
How can this vulnerability be exploited?
- An error in the way HTML with certain layout combinations is interpreted can be exploited to corrupt memory via a specially crafted web page.
- An error in the way the “by” property of an “animateMotion” SVG element is handled can be exploited to corrupt memory via a specially crafted web page assigning other DOM elements to the property.
- An error in the argument validation when processing images can be exploited to corrupt memory via a specially crafted web page.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Solution
Microsoft has released patches to fight the vulnerability.
ELSE USE FIREFOX and surf the internet without any problems.
Jul 16, 2007
In midst of attacks from Firefox fans Microsoft Internet Explorer 7 has another vulnerability added to its collection. Security company Secunia has discovered a flaw in IE7 which can be exploited by a malicious website to spoof the address bar, however the company rated the flaw as less critical.
The vulnerability is caused due to an error in the handling of the “document.open()” method and can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice.
Older versions might be also be affected but there are no reports available yet. This vulnerability is extremely important for the Redmond company as its top browser, Internet Explorer 7 is involved into the battle with Firefox and other applications for the leader position of the category.
Solution:
Close all browser windows after visiting untrusted websites.
Feb 27, 2007
This is scary. I could see my boot.ini file online? Huh. The common vulnerability makes it clear that the flaw in programming could be used for some dangerous works over the Internet.
Affected Software
Internet Explorer 7
Internet Explorer 6
Internet Explorer 5.01
FireFox 2.0.0.2
FireFox 1.5.0.9
Description
For demonstration of vulnerability in IE7 click here. For FireFox click here. This is a must see for all of the Internet users around. Using the vulnerability some diverted keystrokes which you hit to enter forms on a web page could be used to enter commands over the Internet to see your boot.ini. And this could just be the beginning.
“Both examples are Windows-specific, and require C:BOOT.INI to exist and be readable by users. The attack itself is not limited to a particular operating system, but I decided to provide a demonstration for most popular desktop OS - *nix versions that access /etc/hosts or /etc/passwd are easy to develop,” Zalewski, one who found the vulnerability, stated.“In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, “.value” parameter cannot be set or changed, and any changes to .type reset the contents of the field,” added Michal Zalewski.
Workaround Available
User interaction is a must if both vulnerabilities are to be successfully exploited. In this context, the user would have to enter text in malformed areas on a web page, either from IE or FireFox. Zalewski explained that the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker.
No real workaround looks to be available currently but we will keep you updated with the latest news.
Microsoft on one side was shouting that there IE7 is free of vulnerabilities while FireFox was busy releasing patches this month. Now this kick will surely add to there wounds. Let us wait and see how they react.
Source: Softpedia
RSS Feeds
