Security vulnerabilities persist after IE 6 patch

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/0912mssec.html

By Paul Roberts
IDG News Service 
09/12/02 

Only three days after the official release of the first patch for
Microsoft's Internet Explorer Version 6 Web browser, security experts
are raising concerns about security vulnerabilities that were not
addressed by the company.

The patch release, known as "Service Pack 1" was posted Monday on
Microsoft's Web site and contains fixes for more than 300 issues with
Internet Explorer 6, which was first released with the Windows XP
operating system in October 2001. Despite the fixes, however, security
experts warn that significant vulnerabilities remain even after
applying the patch.

"Security-wise, I would say it's pretty bad right now," says Thor
Larholm, a security researcher for Pivx Solutions, a Newport Beach,
Calif., security consulting company.

"You can do anything to anyone's Web page with Internet Explorer 6.  
It's wide open to anyone."

Top among Larholm and other security experts' concerns are
vulnerabilities that make it possible for attackers to take advantage
of holes in the web of restrictions and security rules that make up
Microsoft's Dynamic HTML Object Model, which governs the interaction
of windows, dialog boxes and Web page frames.

An advisory issued recently by the Israeli security company GreyMagic
Software warns about the potential dangers, when using Internet
Explorer, including Version 6 Service Pack 1, of what is referred to
as "cross-frame scripting."

Intended to make it easy to pass information back and forth to
different parts of a Web page, cross-frame scripting also makes it
possible for attackers, once their Web page is loaded by the Internet
Explorer, to use JavaScript to change the URL displayed in one Web
page sub-frame, referred to as a "child" to match that of the main Web
page or "parent," thus circumventing a host of security rules that
prohibit the free interaction between frames displaying different
Internet domains. Once in control of the parent frame, the URL of that
frame can be replaced with a new script that allows an attacker to
read information from cookies and other files containing a user's
personal information.

And, experts say, because of the tight integration between Microsoft's
Internet Explorer browser and its other Office products, such as the
popular e-mail program Outlook, there is no shortage of ways to trick
unsuspecting users into visiting a Web page that a hacker controls.

"This can be done in many ways," said Lee Dagon, a researcher at
GreyMagic.

"For example, some versions of Outlook Express and Outlook render
e-mails sent in HTML format ... this means that scripts can execute
and therefore the vulnerability becomes exploitable by e-mail," Dagon
said.

While not all of the vulnerabilities Larholm identified are severe,
the Denmark-based researcher said that the sheer number of different
security holes make it easy for attackers to move freely once they
have gained access to a machine using Internet Explorer and running
Windows.

"They all add up," Larholm said in reference to the security holes.  
"Some are mild, some are severe, but when you combine them, they can
be devastating."

An example of the cumulative effect of such holes can be found in an
advisory posted on Malware.com, a security Web site. Taking advantage
of three separate Internet Explorer vulnerabilities, one reported more
than a year ago, those who run the Web site were able to demonstrate
how a program could be silently placed and run on a remote computer
with no user interaction other than visiting an attacker's Web page
and having the Internet Explorer and Windows Media Player -- both
standard Microsoft Windows applications -- installed.

Such vulnerabilities are particularly dangerous when coupled with an
unsuspecting user, Dagon said.

"Users are generally trusting their browser to keep them safe and most
of them don't even realize that a simple Web page may be able to
access their private documents," Dagon said.

When asked for comment on the issues raised by Larholm and other
security experts, a spokesman for Microsoft said that the company
firmly believes it acts in the best interest of customers, and that
Microsoft's security experts often reach different conclusions about
the technical feasibility of the possible attacks identified by
third-party security experts.

Despite the vulnerabilities he found, Larholm still recommends that
Internet Explorer users upgrade to Service Pack 1.

"If you're going to use Internet Explorer, I would recommend upgrading
to Service Pack 1," Larholm said. "The vulnerabilities that exist in
[Internet Explorer version 6.0] Service Pack 1 exist in the 5.0, 5.5
and 6.0 browsers too, and the improvements in Service Pack 1 are
adequate to justify upgrading."

In addition, the lack of attention to vulnerabilities in other browser
platforms doesn't mean that those are more secure, Larholm said. "Even
though Internet Explorer is very high profile on vulnerabilities
doesn't mean that those vulnerabilities don't exist in other browsers
as well."

Indeed, other browsers may be just as susceptible as Internet
Explorer, but are much less commonly used.

"The Netscape, Opera, and Konqueror browsers, nobody writes exploits
for those [browsers] because nobody really cares," Larholm said.  
"They'll have to have more than 1 percent or 2 percent of users before
people start to notice."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.