IE holes open up Web booby traps

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-962966.html?tag=fd_top_3

By Robert Lemos 
Staff Writer, CNET News.com
October 22, 2002, 1:21 PM PT

An Israeli Web-application company has warned users of Internet
Explorer that nine related security flaws in the program could be used
by malicious hackers to gain access to a victim's computer files.

GreyMagic Software said Tuesday that the vulnerabilities--eight of
which it deemed critical--could be exploited using a specially coded
Web page that would run malicious programs on a victim's computer if
the victim visited the page.

"Using these flaws in combination with other known flaws that can
silently deliver files to the user's disk could result in full
compromise of the client's computer," said Lee Dagon, head of research
and development for GreyMagic.

In addition to letting Net vandals steal private local documents, the
flaws could let malicious hackers copy clipboard information, execute
arbitrary programs and fool IE users by forging trusted Web sites, the
company said in its .

GreyMagic said Internet Explorer 5.5 and 6 are affected by the flaws
but that the latest service packs to each of these versions of IE plug
the holes.

The bugs appear in how Internet Explorer caches Web objects. GreyMagic
found the flaws after researching three different aspects of the
Internet Explorer object model earlier this month, Dagon said.

"In each session we found more vulnerabilities," he said.

Seven of the flaws can grant an attacker full access to the victim's
PC, while another makes the currently loaded document readable and the
last lets an attacker read and write to the clipboard.

"The attacker would need to know the name and exact path to (a) file,"  
added Dagon, pointing out that the vulnerabilities don't let a vandal
browse a victim's machine for files. "However, Windows has several
sensitive files in relatively static locations, these could be grabbed
and used against the victim." For example, the Windows password file
is in the same location on every Windows computer and could be copied
using the flaws.

Upgrading Internet Explorer 5.5 to Service Pack 2 plugs the security
holes, the company said. Patching Internet Explorer 6 with Service
Pack 1 will fix the problems in that version of the program as well.  
The latest updates for both versions of IE can be found through
Microsoft's Windows Update page.

Flaw-reporting flawed?

GreyMagic Software released the news of the flaws at the same time it
gave the information to Microsoft, saying that in the past "notifying
Microsoft ahead of time and waiting for them to patch the reported
issues proved...nonproductive."

Because Microsoft only received news of the holes on Tuesday, the
software giant couldn't confirm the existence of the vulnerabilities.  
Testing the demo code provided by GreyMagic Software, however, showed
that the flaws apparently were real.

The Israeli Web company's refusal to notify Microsoft first, however,
earned it the software giant's ire.

"We are concerned by the way this report has been handled," a
Microsoft representative said in a statement e-mailed to CNET
News.com. "Publishing this report may put computer users at risk--or
at the very least could cause needless confusion and apprehension."

For more than a year, Microsoft has been fighting to rein in the
public disclosure of flaws, issuing criticism of what it deems to be
irresponsible reporting and sponsoring the formation of a group to set
standards for disclosing vulnerabilities.

In the past, software makers haven't been very responsive to security
issues, but that's changing. Most researchers still believe that
releasing information about flaws is the best way to warn the public.  
However, the same researchers increasingly believe that giving the
software's creator a fair amount of time to create a patch is the most
responsible way to handle such incidents.

Interpretations of what's fair, however, can vary--from a few days to
a few months.

According to Dagon, previous advisories that the company brought to
the software titan's attention took anywhere from 3 months to more
than 6 months to fix. Since then, he said, GreyMagic has lost
patience.

"Microsoft takes quite a while to plug even the simplest security
issue, leaving users exposed to risks for months at a time instead of
letting them know about temporary workarounds," Dagon said.

But Microsoft isn't the only one to voice concern about reports such
as GreyMagic's. The open-source community was not happy when security
company Internet Security Systems dropped a bomb by posting an
advisory about a major flaw in the Apache Web server just hours after
it had notified the development group.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.