2 More serious IE exploits found

Discussion in 'other security issues & news' started by JayK, Jan 5, 2004.

Thread Status:
Not open for further replies.
  1. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    The first one is less serious

    http://www.secunia.com/advisories/10523/

    Arman Nayyeri has discovered a variant of the older showHelp() zone bypass vulnerability, which works in Internet Explorer with all current patches.

    Websites can call the showHelp() function and open locally installed "CHM" files, which are compressed help files. These may contain references to system commands and can execute code with the privileges of the logged in user.

    Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.

    However, other files can be treated as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

    This can be exploited if a program such as WinAmp, XMLHTTP, ADODB stream or others allow websites to place files in a known location.

    An example exploit has been published, which is capable of running arbitrary code on the system if WinAmp is installed in the default location.

    The vulnerability has been confirmed in fully patched Internet Explorer 6 with WinAmp 5 installed.

    Solution:
    Disable active scripting support and enable it only for trusted sites.

    Filter HTML pages with references to "showHelp()" using a HTTP proxy or firewall with content filtering capabilities.

    Use another product.


    The second is a stunner just announced on bugtraq, unfortunately I can't seem to access it now to post the link, but it basically allows another attacker to save and excute any link you click on.
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    This might be the other threat you mentioned   

    http://www.vnunet.com/News/1151714
          
    WHERE ARE YOU?
    Security /Bugs and fixes /News
       
    New IE flaw allows easier phishing
    By Robert Jaques [23-12-2003]
    Scammers can now show identical URLs to real sites, warns security firm

       
       

    Millions of Internet Explorer users have been warned of a security vulnerability within the browser that poses a "significant risk".

    According to analysts from the X-Force division of security firm ISS, the flaw can allow website addresses or URLs to display incorrectly in the browser's navigation bar, thereby allowing scams that trick users into trusting a bogus website.

    The flaw, which ISS says is trivial to exploit, may be triggered when individuals navigate to URLs from within emails or hostile web pages.

    Similar vulnerabilities have been used extensively in mass emails, or fake websites designed to replicate the original in an effort to steal personal information from the victim.

    "This type of attack has commonly been referred to as 'phishing'. Whereas past phishing attacks used URLs similar to the original, this new vulnerability allows URLs that are identical to the original website," said the X-Force Security Alert.

    "This makes it almost impossible for individuals to differentiate between fraudulent sites and legitimate sites."

    Affected versions of the browser include Internet Explorer 6.0, 5.5 and 5.01. The complete X-Force advisory can be viewed here.
     
  3. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    No. The one you point out is pretty well known and is old already,

    There's another one a much more serious and recent one that bypasses the download dialog, and automatically executes files, but as of now, the press still isn't reporting and for some reason bugtraq is still down for me ??
     
  4. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    I have this as exploit #14 in my poll which I updated on 1/4/04:

    http://www.wilderssecurity.com/showthread.php?t=11975

    more info:

    http://www.securityfocus.com/bid/9278/discussion
     
Loading...
Thread Status:
Not open for further replies.