Author Topic: Exploit affects even patched IE's  (Read 752 times)

solarismka

  • Member
  • **
  • Posts: 598
  • Kudos: 0
Exploit affects even patched IE's
« on: 10 June 2004, 23:52 »
http://news.netcraft.com/archives/2004/06/09/new_attack_compromises_fullypatched_ie_browsers.html

 
quote:
A new security hole in Internet Explorer exploit allows hackers to gain control of a user's computer when they click on a hyperlink, even while using a fully-patched version of IE6. An exploit using the technique, which employs a complex series of Javascript, VBScript and PHP code, has been published on the Web and is being discussed in several security mailing lists.

The attack splices together multiple weaknesses in Internet Explorer, including at least one known but unpatched flaw and several new ones. The scripting cocktail tricks the browser into running code from a remote web server as though it were a local help file, and can then install a trojan of the attacker's choice on the compromised system.

The exploit is launched when a user clicks on a malicious link in an e-mail or web page. Internet Explorer launches a pop-up window with an "iframe" tag, which is commonly used to display text or interactive features in a floating window. The code tricks the browser into thinking the iframe contains a help file from the user's hard drive, while downloading a javascript that can then run with local privileges. The javascript then launches a remote php file, which in turn downloads a trojan to the user's hard drive. A complete analysis of the exploit and how it works can be found here.

Some security professionals called the new hack an example of a "zero-day exploit," in which a working attack is published at the same time a vulnerability is discovered. The existence of a published exploit puts pressure on Microsoft to quickly come up with a patch for all IE users. Early reports suggest the key security holes may be patched in Windows XP Service Pack 2, which is now in beta.
Posted by richm at June 9, 2004 01:35 PM | Subscribe  


 
"Regime Change" starts at home!<p>Islam IS NOT the enemy! Against American Terrorism since Sept/11/2001<p>Jihad:<p>http://www.islamanswers.net/jihad/meaning.htm <p>new SuSE Linux User!<p><p>If your gonna point a finger at someone then at least have the proof to back you up!<p>trolls are idiots that demand attention by posting whatever is opposite to the theme to ruffle feathers to make people upset!<p>Often these same trolls always mention grammar/spelling since they have no intelligence of their own.

Xeen

  • VIP
  • Member
  • ***
  • Posts: 1,065
  • Kudos: 55
Exploit affects even patched IE's
« Reply #1 on: 11 June 2004, 02:03 »
Looks like Microsoft will have to roll out another patch to patch the patch that patched holes created by older patches.

format.exe - the best and most efficient patch Microsoft has ever created.

[ June 10, 2004: Message edited by: xeen ]


zolo

  • Member
  • **
  • Posts: 31
  • Kudos: 55
Exploit affects even patched IE's
« Reply #2 on: 11 June 2004, 16:15 »
Maybe it's time MS took out a Patent for security holes?

WMD

  • Global Moderator
  • Member
  • ***
  • Posts: 2,525
  • Kudos: 391
    • http://www.dognoodle99.cjb.net
Exploit affects even patched IE's
« Reply #3 on: 11 June 2004, 23:04 »
Thankfully, this hole is IE-only.  I hope I get my net connection working in Linux so I don't have to worry about these holes at all!  Because some of these, like this new one, are just dumbass.  
My BSOD gallery
"Yes there's nothing wrong with going around being rude and selfish, killing people and fucking married women, but being childish is a cardinal sin around these parts." -Aloone_Jonez

mc0282

  • Member
  • **
  • Posts: 124
  • Kudos: 0
Exploit affects even patched IE's
« Reply #4 on: 12 June 2004, 08:37 »
*yawn more IE  news about fuckin' up, and again people still use it.
huh, what?