Posted by Maxim Weinstein
Tue, 12 Aug 2008 19:23:00 GMT
Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:
Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.
It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.
Posted in all | Tags ie, microsoft, stopbadware
Posted by Maxim Weinstein
Fri, 27 Jun 2008 18:05:00 GMT
A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.
The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.
...
Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....
If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.
Posted in all | Tags ie, microsoft, stopbadware, vulnerability
Posted by Maxim Weinstein
Thu, 26 Jun 2008 16:52:00 GMT
Ryan Naraine over at the Zero Day Blog reports that a new vulnerability has been found in Internet Explorer 6 running on Windows XP with service pack 2 or 3:
An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.
At the moment, there is no patch:
In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.
Posted in all | Tags ie, microsoft, stopbadware, vulnerability
