Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Microsoft probes report of IE flaw

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Microsoft probes report of IE flaw
Date: Wed, 28 Sep 2005 23:27:33 -0500 (CDT) 
http://beta.news.com.com/Microsoft+probes+report+of+IE+flaw/2100-1002_3-5841381.html

By Joris Evers 
Staff Writer, CNET News.com
September 28, 2005

A new flaw in Internet Explorer could be exploited to launch
spoof-based attacks, or access and change data on vulnerable PCs,
security experts have warned.

The problem lies in the way Microsoft has implemented a JavaScript
component in its Web browser, security researcher Amit Klein wrote in
a research document. Internet Explorer does not validate some data
fields provided by a PC when the component, called XmlHttpRequest, is
used, he wrote.

The vulnerability could be exploited with specially crafted code. An
attacker could spoof a legitimate Web site, access data from the Web
browser's cache or stage a so-called man-in-the-middle attack, which
taps into traffic between a user and another Web site, according to
Klein's write-up.

Fully-patched computers running Windows XP with Service Pack 2 and
Internet Explorer 6.0 are vulnerable to this issue, security
monitoring company Secunia said in an advisory. Secunia rates the
problem as "moderately critical" but says people can avoid the risk by
setting the security level in IE to "high."

Microsoft is investigating the vulnerability report, a company
representative said in a statement. The software maker is not aware of
any attacks that take advantage of the flaw, the representative said.  
Upon completion of the investigation, Microsoft may provide a security
update or emergency fix.
 
Previous Next Microsoft is unhappy about the way the problem was
disclosed. The company urges security researchers to report problems
in its products privately so it can provide a fix. "This public
disclosure potentially puts computer users at risk," the Microsoft
representative said.

Over the last weeks, several security researchers have come forward
with flaws in Internet Explorer, which is part of Windows. Some of
these vulnerabilities could let an intruder gain control of a user's
PC. Microsoft initially planned to release at least one patch for
Windows earlier this month but pulled it because of quality issues.

Secunia has published 86 security advisories on IE, of which 20 are
currently marked "unpatched" in the Secunia database.



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Microsoft probes report of IE flaw, InfoSec News <=
Previous by Date:  [ISN] Security UPDATE -- Reading EULAs Can Help Prevent Spyware Infiltration -- September 28, 2005, InfoSec News
Next by Date:  [ISN] Purdy: DHS will ramp up cybersecurity, InfoSec News
Previous by Thread:  [ISN] Security UPDATE -- Reading EULAs Can Help Prevent Spyware Infiltration -- September 28, 2005, InfoSec News
Next by Thread:  [ISN] Purdy: DHS will ramp up cybersecurity, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]