Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Microsoft investigating reports of new IE hole

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Microsoft investigating reports of new IE hole
Date: Fri, 5 Nov 2004 02:19:24 -0600 (CST) 
http://www.nwfusion.com/news/2004/1104microinves.html

By Joris Evers
IDG News Service
11/04/04

Microsoft is investigating reports of a serious security flaw in
Internet Explorer, but has not yet seen malicious code that exploits
the reported flaw, the company said Thursday.

Security experts earlier this week warned that code exploiting a newly
discovered security hole in IE is circulating on the Internet. The
code exploits a buffer overflow vulnerability in IE 6 and has been
confirmed on PCs running Windows XP with Service Pack 1 and Windows
2000, according to Danish Security company Secunia.

The U.S. Computer Emergency Readiness Team (CERT) issued an alert
similar to the Secunia advisory. CERT warns that aside from the Web
browser, applications such as e-mail clients that rely on browser
controls may also be vulnerable. Attackers could gain complete control
over a victim's computer by exploiting the flaw, according to Secunia
and CERT.

Microsoft is investigating the possible vulnerability, the company
said in a statement. However, while Secunia and CERT raise alarm over
code exploiting the vulnerability being publicly available, Microsoft
said it has not seen that yet. "We have not been made aware of any
active exploits of the reported vulnerabilities or customer impact at
this time, but we are aggressively investigating the public reports,"  
the company said.

The flaw lies in the way IE handles the SRC and NAME attributes of the
"frame" and "iframe" HTML elements, according to the CERT alert.. A
user could be attacked via a Web page containing malicious code or an
HTML e-mail message.

There is no patch for this flaw, but computers running Windows XP
Service Pack 2 appear to be protected, according to Secunia and CERT.

Upon completing its investigation, Microsoft said it will take the
appropriate action to protect Windows users. This may include
providing a fix through its monthly patch release process or an
out-of-cycle security update, the company said.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Microsoft investigating reports of new IE hole, InfoSec News <=
Previous by Date:  Re: [ISN] 16 candles for first Internet worm, InfoSec News
Next by Date:  [ISN] Microsoft to help users prep for patching, InfoSec News
Previous by Thread:  [ISN] U.S. and Europe unprepared for cyber attack, InfoSec News
Next by Thread:  [ISN] Microsoft to help users prep for patching, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]