MSoft patch leaves flaw unattended
Microsoft Patches IE But Leaves PopUp Attack For Later
By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
22 Feb 2002, 2:36 PM CST
Microsoft on Thursday issued another set of patches to correct two "critical" security flaws in its Internet Explorer (IE) browser. But the company has yet to wall off a month-old attack that can launch programs on the computers of IE 6 users.
The patches, posted at the Microsoft site Thursday evening, include a fix for an IE6 bug published last December in the browser's XMLHTTP ActiveX control, as well as for a previously unpublished flaw in the handling of VBScript by all supported versions of IE.
Both flaws have been rated critical risks by Microsoft, which advises affected customers to patch affected systems immediately.
Still awaiting a patch is a flaw that has been dubbed the Popup Object vulnerability. Originally reported to Microsoft more than five weeks ago, the bug in IE6 allows attackers to execute any program on a remote system.
In a harmless demonstration of the bug, also known as the IE arbitrary program execution vulnerability, a security researcher who uses the nickname ThePull showed how a Web page can be designed to launch applications such as the Windows registry editor, command prompt and file transfer protocol.
"I could make a worse exploit for that. Maybe someone else has and no one knows about it," said ThePull, who recently joined Eeye Digital Security as a quality assurance analyst, in an interview today. His Jan. 10 advisory reported, however, that he has not found a way to pass parameters to the programs.
Microsoft has not publicly acknowledged ThePull's discovery. Company representatives have responded to inquiries by saying that his advisory may put Microsoft customers at risk and cause "needless" confusion and apprehension.
In a break from past practice, Microsoft's bulletins on the IE flaws today did not contain direct links to the patches but instead instructed customers to visit the software maker's Windows Update site.
Some system administrators complained today on mailing lists that they have been unable to access the Windows Update site and that Microsoft's failure to publish direct links to the patches has prevented them from protecting their systems.
Microsoft's bulletin on the XMLHTTP vulnerability is at http://www.microsoft.com/ technet/se...n/MS02-008.asp
Microsoft's bulletin on the VBScript handling flaw is at http://www.microsoft.com/ technet/se...n/MS02-009.asp
ThePull's advisory is at http://home.austin.rr.com/wiredgodde...advisory4.html
Windows update is at www.microsoft.com/Windowsupdate
01110010 01100101 01100111 01100001 01110010 01100100 01110011 00100000 01110000 01100001 01110101 01101100
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|