Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] BBC stories used as bait for IE exploit

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] BBC stories used as bait for IE exploit
Date: Fri, 31 Mar 2006 00:25:15 -0600 (CST) 
http://news.com.com/BBC+stories+used+as+bait+for+IE+exploit/2100-7349_3-6056217.html

By Joris Evers 
Staff Writer, CNET News.com
March 30, 2006

Cybercrooks are spamming e-mail messages to trick people into visiting
malicious Web sites that exploit a recent Internet Explorer flaw,
experts warned Thursday.

The Web sites take advantage of the vulnerability in the omnipresent
Microsoft Web browser to install a keystroke logger on vulnerable
computers, according to San Diego-based Websense Security Labs.

"This keylogger monitors activity on various financial Web sites and
uploads captured information back to the attacker," Websense said in
an alert. The malicious software could capture log-in names and
passwords for the sites, information criminals could sell or possibly
use to plunder a victim's account.

The e-mail messages used to lure people to the Web sites contain
excerpts from BBC news stories and offer a link to "read more,"  
Websense said. This link leads to a forged BBC Web page where the
malicious software is dropped onto a vulnerable PC by exploiting the
"createTextRange()" vulnerability in IE, according to Websense's
alert.

The vulnerability has to do with how Internet Explorer handles the
createTextRange() tag in Web pages. Since the flaw was disclosed
publicly last week, more than 200 Web sites have been found to exploit
it. These sites typically install spyware, remote control software and
Trojan horses on vulnerable PCs.

Microsoft has said it is working on a fix for the browser. That update
is currently scheduled for delivery April 11, Microsoft's regular
monthly patch day. However, the Redmond, Wash., company has said it's
considering an earlier release.

Meanwhile, two security companies have beaten Microsoft to the punch.  
eEye Digital Security and Determina both released unofficial fixes for
the IE flaw earlier this week. Experts, however, have warned users to
be cautious with non-Microsoft fixes and instead suggest using a Web
browser other than IE, or disabling Active Scripting, which is also
Microsoft's advice.

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] BBC stories used as bait for IE exploit, InfoSec News <=
Previous by Date:  [ISN] Packet-sniffing techie uncovers spousal infidelity, InfoSec News
Next by Date:  [ISN] More glitches trigger halt in testing of new county voting machines, InfoSec News
Previous by Thread:  [ISN] Packet-sniffing techie uncovers spousal infidelity, InfoSec News
Next by Thread:  [ISN] More glitches trigger halt in testing of new county voting machines, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]