Microsoft plugs six browser holes

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-834826.html

By Robert Lemos 
Staff Writer, CNET News.com
February 11, 2002, 5:20 PM PT

Microsoft released a collection of software fixes Monday to plug six
security problems in its Internet Explorer browser, including one that
could be exploited to take over a victim's computer.

The advisory deemed as critical a vulnerability in the way Microsoft's
browser opens external documents, but about which the software giant
would say little for the past two months.

"We have said that the issue is under investigation," said a
representative for the software giant.

The software flaw took Microsoft by surprise when a 31-year-old
Austin, Texas-based security researcher using the handle "ThePull"  
posted details of the problem to a security mailing list.

The collection of software fixes, known as a cumulative patch, also
fixes two flaws in the way Internet Explorer handles HTML, opens
files, and executes certain scripts.

The release comes 48 hours after two security researchers pointed out
that the security hole found in December can be combined with last
week's minor privacy flaw in MSN Messenger to hijack MSN accounts.

"The flaw allows a malicious programmer, Web site or e-mail to
impersonate you completely," said Thor Larholm, an Internet programmer
for Danish portal Jubii and one of two researchers who found the
problem. "You can, in essence, use this to remote-control a victim."

Users are urged to download the latest patch.

Larholm, along with British Web developer Tom Gilder, outlined the
security slip-ups on their Web site, including the fact that Microsoft
posted a set of fixes for the problem last Thursday, but took it down
not two hours later.

A Microsoft representative said that an error in the way the patch was
distributed caused the company to pull it down and conduct further
testing. Any Windows user who had already downloaded the patch during
the two-hour window is fine, the representative said.

Both security experts said they were disturbed by Microsoft's slow
response, especially with respect to the December security problem
found by ThePull.

"Even when Microsoft patches the current round of security holes, it's
only a matter of time before someone comes up with another one," said
Gilder. "Domain-security related holes are reasonably frequent, and
when the next one pops up MSN will be wide-open again."

Finding this one wasn't that difficult, Larholm said. "We sat down for
10 minutes and came up with this."

Microsoft has embarked on an initiative to eliminate such
vulnerabilities from its software and services. Recently, in a memo to
every employee, Chairman Bill Gates stressed that the software titan
needs to put security over features.

Gilder said the jury's still out on whether Microsoft is doing just
that.

"Microsoft has said a lot of wise words recently, but I've not yet
seen many of these actually being put into practice," Gilder said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.