Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Weekly Brief
Daily Downloads
Daily Technology News
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: Internet ExplorerBrowser BugsBrowser Security

New IE Holes Defy Latest Patches

Four browser flaws, some twists on known vulnerabilities, could let hackers take control.

Paul Roberts, IDG News Service

Friday, June 11, 2004 3:00 PM PDT
Recommend this story?
Yes
No

Four new holes have been discovered in the Internet Explorer Web browser that could allow malicious hackers to run attack code on Windows systems, even if those systems have installed the latest software patches from the Redmond, Washington company, security experts warn.

Some of the new flaws are already being used to attack Windows users and include a glitch that allows attackers to fake or "spoof" the address of a Web page, as well as vulnerabilities that enable malicious pages from the Internet to be handled by IE with very little scrutiny or security precautions.

A Microsoft spokeswoman acknowledged the reports and said the company is looking into the attacks and is considering what steps to take, including the release of an emergency security patch to address the problems.

Familiar Vulnerabilities

Word of the four new vulnerabilities surfaced in security discussion news groups in recent weeks. Two of the vulnerabilities, first disclosed by someone using the name Rafel Igvi and posted to the NTBugtraq discussion list, allow attackers to load content from malicious Web pages while displaying the Web address of legitimate sites in the Internet Explorer's address bar. Attackers could trick users into clicking on the bogus Web links using e-mail messages or by linking from other Web pages.

The vulnerability is very similar to another hole that was uncovered in December 2003 that allowed attackers to hide the real location of a Web page by including the characters %01 before the @ symbol in a URL. The new vulnerability allows attackers to hide the actual address of the Web page that is being loaded by prefacing the address with the characters ::/ with some IE URLs, according to security company Secunia.

"Conceptually, it's very similar to the %01 problem, and (the flaw) is in a related part of the Internet Explorer code," said Thor Larholm, senior security researcher at PivX Solutions LLC.

Potent Combination

Another unpatched hole, called a "cross zone scripting" vulnerability, allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, Secunia said.

When combined, the address spoofing and cross zone scripting holes can create a potent and stealthy attack, with attackers using the spoofing hole to trick IE into thinking it is on a safe Web site, even as it loads malicious content from another part of the Internet, Larholm said.

"The address spoofing makes sure (the attacker) can load content from his site, and the cross zone scripting hole makes sure he can do it in (a trusted) security zone," he said.

New Threats

On Thursday, two more unpatched Internet Explorer holes also surfaced that are slight variations on the same themes. One is a spoofing vulnerability that works on IE, as well as the Mozilla and Safari browsers, and allows attackers to fake the address displayed in the address bar. The other is a cross zone scripting hole that lets users load insecure Web pages as if they were trusted Web pages, Larholm said.

All the new holes are variations of flaws discovered in the last two years, and play on known weaknesses in Internet Explorer's design, said Larholm.

In particular, Microsoft's implementation of "security zones" into which Web pages can be grouped is deeply flawed, as is code in IE for assessing what level of security to apply to a particular Web page URL. Fixing such problems will demand a wholesale reengineering of the often-used Web browser, something Microsoft plans to do in the next major release of Windows, code named "Longhorn," Larholm said.

Heavy Defense

In the meantime, Microsoft and others recommend following so-called "safe browsing" practices. Microsoft has a list of such practices on its Web page. Companies should consider increasing security in the Local Machine (or MyComputer) zone. Steps for doing so are also available on the Microsoft Web page.

PivX also offers Windows users a free tool, Qwik-Fix, that locks down Windows and prevents many common exploits, Larholm said.

Microsoft will work with law enforcement to prosecute individuals who use exploit code to damage computers, the spokeswoman said.


Recommend this story?
Yes
No
Related Searches: ie internet explorer browser hole vulnerability
Related Content
Latest News
EDS Buy Could Give HP Edge Over Dell, Analysts Say
Hewlett-Packard's acquisition of Electronic Data Systems won't hurt Dell in the next few years, but it could affect Dell's... 16-May-2008
Microsoft Pulls Windows Home Server Backup Feature
Microsoft confirms that it has yanked parts of a backup feature from a major upgrade to its Windows Home Server. 16-May-2008
HP Confirms XP SP3 Endless Reboot Snafu, Promises Patch
HP confirms that some users of its AMD-based desktops have had problems after installing Windows XP Service Pack 3. 16-May-2008
Say Goodbye to Muni-Fi
The days of imagining Wi-Fi blanketing a city are over with the exit of the last major municipally focused Wi-Fi service provider. 16-May-2008
Microsoft: Don't Misunderstand UAC, Other Vista Features
In its continued attempt to convince business customers to adopt Vista, Microsoft has outlined and tried to explain some of... 16-May-2008
Sony Reveals 2008-2009 PlayStation Software List
Sony Friday revealed a list of 15 upcoming games for the PlayStation 3, PS2 and PSP. 16-May-2008
HP-EDS Buy, Icahn Strikes Again, China Quakes
This was a big IT news week, with the massive earthquake in China on Monday showing once again the role that the Internet... 16-May-2008
Universal Battery Charger Debuts for Apple Laptops
FastMac on Friday announced its new U-Charge. It's a universal battery charger for Apple laptops and it costs US$69.95; it... 16-May-2008
Optimizing Windows on Your Mac
The June 2008 issue of Macworld includes a feature article on running Windows on your Mac--and how to do it in the most... 16-May-2008
TapDex 3.3.2
Apple's Address Book utility is a handy place to store information for your contacts, especially since it integrates so well... 16-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)