Ditch IE - veteran bug hunter

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/23557.html

By John Leyden
Posted: 04/01/2002 at 16:52 GMT

Veteran bug hunter Georgi Guninski is recommending disabling Active
Scripting - or ditching Internet Explorer entirely - after he
discovered yet another vulnerability with the browser.

IE allows hackers to browse known local files using a specially
crafted script due to a bug in the browser's GetObject() JScript
function, Guninski reports.

The vulnerability, which is similar to previous directory transversal
bugs and relates to how GetObject() interacts with the "htmlfile"  
ActiveX object, could allow the execution of arbitrary code on a
target machine. Internet Explorer version 5.5 and 6.0 are thought to
be affected.

Microsoft was informed about the problem on December 11 and has yet to
issue any response on the issue; but Guninski has produced test code
to validate his warning, the latest in a long line he has made about
IE.

This is evident from Guninski's advice that users should not use "IE
in hostile environments such as the internet", which pending a
surprise mass defection to Opera, is hardly very practical.

Yesterday Microsoft sent out an email to .Net Passport user strongly
urging them to review the security of their browsers and apply a
cumulative patch it issued in December. Users can check what security
upgrades they might need here. Although there's nothing there to
protect users from the latest risk, this is still well worth doing.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.