Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > other security issues & news
Reload this Page MSoft patch leaves flaw unattended
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old February 23rd, 2002, 05:01 AM
Paul Wilders's Avatar
Paul Wilders Paul Wilders is offline
Administrator
  
Join Date: Jul 2001
Location: The Netherlands
Posts: 12,461
Default MSoft patch leaves flaw unattended
02/22/02
Microsoft Patches IE But Leaves PopUp Attack For Later
By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
22 Feb 2002, 2:36 PM CST

Microsoft on Thursday issued another set of patches to correct two "critical" security flaws in its Internet Explorer (IE) browser. But the company has yet to wall off a month-old attack that can launch programs on the computers of IE 6 users.

The patches, posted at the Microsoft site Thursday evening, include a fix for an IE6 bug published last December in the browser's XMLHTTP ActiveX control, as well as for a previously unpublished flaw in the handling of VBScript by all supported versions of IE.

Both flaws have been rated critical risks by Microsoft, which advises affected customers to patch affected systems immediately.

Still awaiting a patch is a flaw that has been dubbed the Popup Object vulnerability. Originally reported to Microsoft more than five weeks ago, the bug in IE6 allows attackers to execute any program on a remote system.

In a harmless demonstration of the bug, also known as the IE arbitrary program execution vulnerability, a security researcher who uses the nickname ThePull showed how a Web page can be designed to launch applications such as the Windows registry editor, command prompt and file transfer protocol.

"I could make a worse exploit for that. Maybe someone else has and no one knows about it," said ThePull, who recently joined Eeye Digital Security as a quality assurance analyst, in an interview today. His Jan. 10 advisory reported, however, that he has not found a way to pass parameters to the programs.

Microsoft has not publicly acknowledged ThePull's discovery. Company representatives have responded to inquiries by saying that his advisory may put Microsoft customers at risk and cause "needless" confusion and apprehension.

In a break from past practice, Microsoft's bulletins on the IE flaws today did not contain direct links to the patches but instead instructed customers to visit the software maker's Windows Update site.

Some system administrators complained today on mailing lists that they have been unable to access the Windows Update site and that Microsoft's failure to publish direct links to the patches has prevented them from protecting their systems.

Microsoft's bulletin on the XMLHTTP vulnerability is at http://www.microsoft.com/ technet/se...n/MS02-008.asp

Microsoft's bulletin on the VBScript handling flaw is at http://www.microsoft.com/ technet/se...n/MS02-009.asp

ThePull's advisory is at http://home.austin.rr.com/wiredgodde...advisory4.html

Windows update is at www.microsoft.com/Windowsupdate

------

source: newsbytes
__________________
01110010 01100101 01100111 01100001 01110010 01100100 01110011 00100000 01110000 01100001 01110101 01101100
 

Wilders Security Forums > Other Security Topics > other security issues & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 11:09 AM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums