This has not been a great month for browsing the Web. On Tuesday, three new vulnerabilities were found in a popular browser plug-in. Additionally, Internet Explorer 6 contains a flaw that is not patchable at this time.
GreyMagic Software released an advisory Tuesday on three flaws it discovered in Adobe SVG Viewer. The application is a popular browser plug-in for rendering Scalable Vector Graphics (SVG), an XML-based language for creating and controlling vector graphics.
IDefense Labs is warning of a flaw it found in Internet Explorer version 6. Specifically, there is a problem with the ADODB.Stream object in ActiveX. A Web page has been found that exploits the flaw and runs arbitrary code on the viewing system.
Late last week, Microsoft released a fix that addressed a way the flaw could be exploited but didn't fix the ADODB.Stream object itself, iDefense said in its advisory. "I would not be surprised to see another wave of quiet, yet dangerous, Trojan attacks in light of this new exploit code," Ken Dunham, iDefense's director of malicious code, said in the advisory.
Reston, Va.-based iDefense recommends users set a kill bit in the Windows registry to prevent the attack. Here is the key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{00000566-0000-0010-8000-00AA006D2EA4}
Then users need to create a dword value called "Compatibility Flags" with the value "400."
The flaws in Adobe SVG Viewer
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
were found during a security audit of the application. "The increasing interest of the Web development community in this language and technology prompted us to take a look at the most popular plug-in available for SVG," said Lee Dagon, head of research and development at Israel-based GreyMagic.
GreyMagic notified Adobe of the flaws about a month ago, Dagon said. Users of Adobe SVG Viewer are urged to upgrade to version 3.01, which protects against these vulnerabilities.
The vulnerabilities, if exploited, allow attackers a wide range of access. One allows a script on a Web page to run even if a user specifically chooses not to. Another allows attackers to gain access to private data on users' systems.
"The third flaw is the most devastating one; it allows full access to the user's computer," Dagon said. It could be used to do a host of things, such as cookie theft, Web site impersonation, local file reading and writing and even running commands on target systems.
To exploit the SVG Viewer flaws, an attacker would need to lure victims to a Web page containing the bad code. Creating the exploit code isn't difficult. "Most of the flaws are fairly simple and straightforward, once understood," Dagon said. "An attacker wouldn't need to be exceptionally well-versed in order to construct an exploit to use them."
FOR MORE INFORMATION:
Download updated version of Adobe SVG Viewer here
SearchSecurity.com news exclusive: "Microsoft fixes object type flaw in IE"
SearchSecurity.com news exclusive: "Zero-day IE exploit just the beginning"