According to security firm Secunia, the just-released Internet Explorer 7 contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.Posts with tag exploit
Internet Explorer 7 vulnerability discovered
According to security firm Secunia, the just-released Internet Explorer 7 contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.Tor IP anonymitity compromised
A group called Packet Storm has published a paper detailing how the true IP addresses of Tor users can be discovered by the party that controls their traffic's exit node. In case all of that was Greek to you, let's back up: Tor is system that anonymizes internet traffic by routing it through a network of Tor nodes. The aim is to make it impossible to know where traffic originated, and Tor has become popular lately among the privacy minded, especially with the debut of Torpark, a version of Firefox with Tor's anonymizing features built in. Unfortunately, Packet Storm's paper shows that if you control the last node in the chain, it's possible to determine the traffic's originating IP using a combination Flash and cookie attack. The paper's author recommends turning off Flash, ActiveX, Java, and JavaScript if you use Tor and don't want your IP sniffed out. Tor's developers have yet to make an official statement about the exploit.[Via Netscape]
Why Firefox makes you wait 3 seconds before installing extensions
Have you ever wondered why Firefox makes you wait three seconds before you can click on the Install button when you want to install an extension? Most users (self included) assume that it's just to make users read the dialog. It turns out that's not the case--Jesse Ruderman explains that it's actually a security feature to keep people from unwittingly installing malicious code. He describes an ingenious exploit in which a user is presented, for example, a security (CAPTCHA) image to type in. JavaScript is used to initiate an extension installation when the user starts typing, and when the user types 'y' or enter, it triggers the 'Accept' or 'Install' button, allowing the malicious software to be installed. Since many users type faster than they could respond to the box popping up, the software is installed before they can react. (If you're confused, head over to Ruderman's blog, he explains it better than I can.) The delay in Firefox gives the user time to react and stop typing. Mozilla describes the solution in bug 162020, but the same vulnerability exists in other browsers, most notably Internet Explorer and its ilk.Unofficial patches fix Internet Explorer vulnerability
Rather than wait two more weeks until Patch Tuesday as Microsoft has opted to do, two companies have released
their own unofficial patches for the newly-disclosed Internet Explorer vulnerability that is rapidly being exploited in
the wild. Security firms eEye and Determina have both announced the availability of unofficial hotfixes that they're
touting as temporary solutions until Microsoft gets its act together. Both companies have released the source code of
their patches for review, but installing either is still an at-your-own-risk undertaking. eEye's information and
download page can be found here, and Determina's here.[Via Slashdot]
A new Big Ugly Exploit for Internet Explorer
Microsoft has confirmed that a newly-discovered
vulnerability exists in Internet Explorer that the security companies are calling "significant" and
"highly critical." Of course, you won't find such scary language on Microsoft's milquetoast advisory page, but the vulnerability (for
which researchers have released proof-of-concept exploit code), allows malicious web sites to run arbitrary code on
victims' machines. No patch exists, but Microsoft says an effective workaround is to disable Active Scripting in IE and
that Outlook and Outlook Express are not vulnerable. Patch Tuesday is April 11, and it's unlikely that we'll see a fix
from Microsoft until then.Microsoft releases WMF update patch five days early
Rather than waiting until Tuesday to release a patch for the much-publicized WMF vulnerability as most have
anticipated, Microsoft got its act together and released an official patch yesterday. You can download the patch from Microsoft here or
from Windows Update. Unfortunately there's no patch for Windows NT and Windows 2000 (pre-SP4) users or Windows 98/ME
users whom, Microsoft claims, aren't really at risk. Marc Orchant over at the Unofficial Microsoft Weblog has the
details, plus an overview of what's coming in Microsoft's regular patch release on Tuesday.Microsoft pays attention to the WMF vulnerability
After a long and very uncomfortable silence, Redmond has finally spoken out about the very serious WMF vulnerability that exists in all
versions of Windows by updating their security
advisory on the issue. In the new advisory they say their "goal" is to release a patch next Tuesday and
suggest that people take the same action security experts have been recommending for a week: unregister shimgvw.dll.[Via The Unofficial Microsoft Weblog]
Windows WMF vulnerability FAQ
The SANS Internet Storm Center has posted an FAQ about the
WMF exploit that has been making the rounds lately. It says that all versions of Windows are affected and that even
if you don't use Internet Explorer you may not be protected. On the ISC blog Tom Liston writes, "This is a bad situation that will only
get worse. The very best response that our collective wisdom can create is contained in this advice—unregister
shimgvw.dll and use the unofficial patch. You need to trust us." Instructions for using the patch and
unregistering the DLL can be found in the FAQ.[Via The Unofficial Microsoft Weblog]
Another day, another critical vulnerability in Internet Explorer
As reported by our pals over at the Unofficial Microsoft Blog, Microsoft is warning that there exists a vulnerability in Msddds.dll, and when it's called from a web page it may be used to crash Internet Explorer and execute arbitrary code on the victim's computer. Secunia is calling the bug "highly critical." eWeek has the details, as well as some work-arounds to protect yourself while you wait for Microsoft to issue a patch. Or, you could just switch to a different browser.
