Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New IE6 security hole

From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Fri, 10 Jun 2005 07:01:06 -0700
And when I forwarded your email to Secure () microsoft com [which is what YOU should have done rather than posting it all over the place] this is what they posted back to me: 

- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page. - Our investigation reveals that the behavior described in the public 
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the Microsoft Security Response Center. Secure () microsoft com is the public email alias for reporting security vulnerabilities to Microsoft. 

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.
- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect. 
-------------------------------------------
In your contact database... put in secure () microsoft com and next time...use that instead. 


Development SeniorenNet wrote:


Hi,
I discovered a NEW security hole / exploit in IE6 with SP2 and all the latest security patches. 



Overview of the exploit:

 a.. Bug for all Microsoft Internet Explorer users
b.. Can be abused by hackers to run harmful JavaScript code and can be abused to mislead existing protection against harmful JavaScript code, like software from Norton, McAfee,. c.. Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,. 
 d.. Unpleasant for JavaScript programmers
I searched the net about the bug but found nothing, so I really think it is a NEW bug.
All the information about the new bug (info, exploit,.) , see the page http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php 





Best regards,

Pascal Vyncke
Previous By Date Next
Previous By Thread Next

Current thread: