Information Security News mailing list archives
Security debated
From: InfoSec News <isn () C4I ORG>
Date: Wed, 21 Jun 2000 01:10:44 -0500
http://www.infoworld.com/articles/hn/xml/00/06/20/000620hnbill.xml Published at: Tuesday, Jun. 20, 2000 5:00 pm PT By Jaikumar Vijayan, Computerworld A MICROSOFT PATCH aimed at fixing a previously discovered ActiveX flaw may not fully protect users against the vulnerability, according to an advisory issued Monday by Carnegie Mellon University's Computer Emergency Response Team (CERT). But in response to the CERT advisory, a Microsoft spokesman Tuesday insisted that the patch released by the company on June 2 provides protection against the vulnerability in all circumstances where users follow basic security procedures. The disagreement involves a little-known but potentially serious flaw that was discovered in mid-April with an ActiveX-based shortcut control in the HTML Help feature built into Microsoft Internet Explorer Web browser. The shortcuts allow HTML Help files to link to and execute code that helps users understand how to perform certain tasks, said Shawn Hernan, a CERT member. But under certain conditions -- which are described by CERT in its advisory -- the feature can be exploited by crackers to plant a malicious help file from a remote location onto a user's system. Basically, "someone who can exploit this vulnerability can [remotely] do anything you can do on your computer" under certain conditions, Hernan claimed. Earlier this month, Microsoft's own description of the flaw and announcement of the patch's release acknowledged that attackers exploiting the security hole "could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote Web site." Scott Culp, a security program manager at Microsoft, in Redmond, Wash., said the company's patch eliminates the vulnerability by only allowing an HTML Help file to use shortcuts if the file resides on a user's PC. That should provide ample protection as long as users stick to basic security practices such as having a secure firewall and not accepting files from unknown sources, he said. The security flaw can be exploited only under certain, very rare circumstances and even then only if the user actively downloads a malicious file from a remote location, Culp added. "CERT's advisory oversimplifies the steps that an attacker would need to exploit the flaw," he said. "The scenario they're postulating would open users up to a far broader range of security issues above and beyond this vulnerability." But in its advisory, CERT claimed the preconditions needed for the vulnerability to be exploited were not all that uncommon and posed a greater risk than Microsoft describes. "For some sites, the patch provided by Microsoft is adequate," CERT said in the advisory. "For others, particularly those sites using non-Microsoft networking products, the patch does not provide complete protection." Users need to understand their network's configuration prior to deciding which, if any, changes are required beyond installing the patch, CERT added. ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security debated InfoSec News (Jun 21)