Microsoft investigates two IE flaws

By Bill Brenner, Senior News Writer 22 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is looking into a pair of new security holes in Internet Explorer (IE) that attackers could use to cause a denial of service or launch malicious code. Proof-of-concept exploit code has been written for one of the flaws.

One issue was discovered by vulnerability researcher Jeffrey van der Stad. In a posting on his Web site, he said the software giant had run its own tests and confirmed the flaw. He quoted a Microsoft security team member as saying, "We have been trying to get this fix into the next IE release, but it's been a lot of work to do that, as it's relatively late in the cycle. It looks like it will make it in, though."

The company's next scheduled patch release is April 11.

Cupertino, Calif.-based AV giant Symantec Corp. also looked at Van der Stad's findings and e-mailed an analysis to customers of its DeepSight Threat Management System. While few details were available, Symantec said the problem seems to revolve around HTA files, which are HTML applications that are given higher levels of trust and access to a local system than remote Web pages typically receive.

"A successful attack may allow remote attackers to execute HTA applications in the context of targeted users," Symantec said. "This may allow remote code execution and facilitate the compromise of affected computers."

Symantec outlined the following attack scenario:

• An attacker creates a malicious Web page designed to exploit this issue. The Web site contains a malicious HTA file.
• The attacker distributes links to the Web site, or distributes the malicious content through HTML e-mail messages to targeted users.
• The unsuspecting user visits the malicious Web site, or opens the malicious e-mail message, and the attacker-supplied HTA file is executed.

The problem affects Internet Explorer 6.0 running on Microsoft Windows 98, XP and Windows Server 2003. Symantec also noted that Van der Stad has developed proof-of-concept code for the flaw. To mitigate the threat, Symantec recommended users:

• Run all software as a non-privileged user with minimal access rights.
• Run the client browser as a user with the minimal amount of privileges required for functionality. This will reduce the potential negative affects of this and other latent vulnerabilities.
• Do not follow links provided by unknown or untrusted sources.
• Refrain from visiting sites of questionable integrity and following links that originate from unknown or untrusted users.
• Set Web browser security to disable the execution of script code or active content.
• As an extra precaution, disable support for active scripting in the browser. This may prevent a successful attack if this issue depends on active scripting for exploitation.

Meanwhile, the second flaw was discovered by researcher Michal Zalewski, who posted an analysis on the BugTraq forum.

In its advisory, Danish vulnerability clearinghouse Secunia said attackers could exploit the flaw to cause a denial of service.

"The vulnerability is caused due to an array boundary error in the handling of HTML tags with multiple event handlers," Secunia said. "This can be exploited to crash a vulnerable browser via a HTML tag with 94 or more event handlers. The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2."

Secunia recommended users mitigate the threat by staying away from untrusted Web sites.

A Microsoft spokesman said Tuesday that the vendor is looking into the reported flaws and that it is not currently aware of any attacks attempting to use the reported vulnerability.

He said that upon completion of the investigation, "Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary