Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

IE bug could open the gates for hackers

From: InfoSec News <isn () C4I ORG>
Date: Wed, 28 Mar 2001 23:51:17 -0600
http://www.zdii.com/industry_list.asp?mode=news&doc_id=ZD5080289

By Lisa M. Bowman
ZDNet News
March 28, 2001

A newly discovered bug in Microsoft's Internet Explorer Web browser
could let malicious hackers read the e-mail and computer files of some
unsuspecting people.

Bug tracker Georgi Guninski said the exploit is activated when a
surfer using Internet Explorer 5 loads a malicious Web page. The
surfer's network also must be running Microsoft's Exchange 2000 server
for the bug to show up.

The bug lists the directories of some servers the Web surfer can
access, which could enable viewing of the person's e-mails or folders
if they are stored on a Microsoft Exchange 2000 server. The malicious
hacker would have to know some of the Web surfer's usernames.

Guninski has rated the bug's risk as "high," and he said people can
alleviate the problem by disabling Active Scripting, a browser setting
that offers enhanced functions but has been repeatedly associated with
potential security risks.

Microsoft did not immediately return requests for comment. But in a
message posted on Guninski's site that apparently comes from
Microsoft's Security Response Center, the company asked him for a
further explanation of the bug "so you are not just scaring people."
The message also said that "visiting malicious Web sites is not a real
exploit scenario."

Microsoft has come under fire in recent years for allegedly valuing
interoperability between its products over security. In its quest to
provide many pieces of software that interact with each other, some
security experts say the company has been lax in addressing possible
holes that could allow malicious hacker exploits.

Most notably, Microsoft's Outlook messaging software, which is used by
millions of people throughout the world, played a key role in the
rapid spread of viruses including I Love You and Melissa.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: