On CBSSports.com: Mike Tyson's daughter dies in accident
BNET Business Network:
BNET
TechRepublic
ZDNet
44 TalkBacks

By Dawn Kawamoto
Posted on ZDNet News: Jun 29, 2006 10:14:00 PM

Two new security flaws have been discovered in Microsoft's Internet Explorer, security experts have warned.

Code for both the vulnerabilities has been published, but there have been no reports of attacks taking advantage of the flaws, the SANS Internet Storm Center, which monitors network threats, said in an advisory released Wednesday.

SANS initially reported that one of the flaws also affected Mozilla's Firefox Web browser, but on Friday it said in an updated advisory that it had determined, after further research, that Firefox was not affected by it.

The first issue is related to the handling of a technology that is used to access documents delivered from one Web site to another, according to the advisory.

Attackers could exploit the IE flaw using cross-site scripting, said Monty Ijzerman, senior manager of McAfee's Global Threat Group. That technique enables hackers to view the contents of one open browser from a second browser open on the user's system. The attackers, as a result, could swipe sensitive information, such as online banking data, from one of the sites showing.

"We consider this flaw less serious than the other IE flaw," Ijzerman said. "A user would have to have multiple browsers open, and the information on the site would have to be relevant to what the attacker wanted."

The second security hole is related to the way HTA applications are processed. (This flaw is the one that SANS at first thought also existed in Firefox.)

A PC user could be tricked into double-clicking on a malicious file and remote code could be executed, Ijzerman said. An attacker could exploit the vulnerability to read files on a system or to install rootkits, which make system changes to hide another piece of possibly malicious software.

The two IE security flaws come as Microsoft releases its final beta version of IE 7, which is designed to offer more security features. SANS said Friday that IE7 does not have the security holes.

Microsoft said it is investigating the issues and has yet to hear of any attackers exploiting the reported vulnerabilities.

CNET News.com's Caroline McCarthy contributed to this story.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 44 Talkback(s)
Maybe reading the link would be a good idea?
URL: http://isc.sans.org/diary.php?storyid=1448

Summary: FireFox is not affected by HTA applications (CLSID 3050f4d8-98B... (Read the rest)
Posted by: the_seb Posted on: 07/19/06 You are currently: a Guest | | Terms of Use
The Race is ON!  Hi_C | 06/29/06
If Microsoft wins, it would be a first  OhMyGosh | 06/29/06
i place my bet on foxie  not of this world | 06/29/06
READ THE ARTICLE BEFORE POSTING!!!  LoCal | 06/30/06
ZDNet Anti-Firefox Bias? Again Illustrated!  lodaver | 06/30/06
ZDNET and CNET should not bias against the Open Source movement .  I'm Ye, the MS SHILL . | 07/02/06
Also for a last note ,  I'm Ye, the MS SHILL . | 07/03/06
Less serious?  hants | 06/29/06
Oh boy...  Ediseye | 06/29/06
i have 3 browser windows open right now  not of this world | 06/29/06
Tabs  tim.rachel | 06/29/06
But how prevelant is IE 7 at this time  Linux User 147560 | 06/29/06
Good Question,  Cayble | 06/30/06
Problem with IE and other Browsers  Codexena | 06/30/06
RE: Problem with IE and other browsers  xuniL_z | 06/30/06
I am impressed: one CANNOT install different versoins of IE on MSWindows?  michael_t | 07/01/06
Quite a bit actually.  xuniL_z | 06/30/06
Resident Expert (NOT)  Linux User 147460 | 06/30/06
Re:i have 3 browser windows open right now  sfenton@... | 06/29/06
Windows, not Browsers  ChrisTyler | 06/29/06
well ... I'm not so sure  davidmeyer@... | 06/29/06
More than one process instance on Windows...  «/\/\Ø|ö±ò\/»®© | 06/29/06
Absoulutly correct!  atsfsuperchief@... | 06/29/06
The content is what's important  NonZealot | 06/29/06
Go to Jail - do not pass go!  andyfran@... | 06/29/06
Ramping up, all your programs are subject to  Boot_Agnostic | 06/30/06
Update from SANS  Codexena | 06/30/06
Browsers?  Troll Hunter | 06/30/06
Opera is sucks  csa0307 | 06/30/06
Spoken like a true moron  Scrat | 07/03/06
Although in less harsh terms...  ju1ce | 07/03/06
RE: Browsers  markbn | 06/30/06
Browser bugs? what a waste  vger_z | 06/30/06
How's That For Irony  nikoli | 06/30/06
If a user can be tricked into double-clicking...  Resuna | 06/30/06
Firefox is NOT affected...read the advisory  jackofalltradesmasterofnone | 06/30/06
Don't even bother with the link...  ju1ce | 07/03/06
Maybe reading the link would be a good idea?  the_seb | 07/19/06
Ummm...is Firefox running in Linux...  Linux_Fanboy | 06/30/06
Dont worry  Cayble | 06/30/06
"Tech " Journali-ganda at its lowest ...  michael_t | 07/01/06
I finally have something nice to say about you.  MageOfChaos | 07/02/06
Opera browser and Morons  lynnerufus | 07/05/06
Your ISP won't cover you  ejhonda | 07/10/06

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

CIO Sessions

advertisement
Click Here