Internet Explorer 6 scripting flaw discovered

Internet Explorer 6 scripting flaw discovered

offline
  • Puky  Male
  • Scottish rebel
  • Pridružio: 18 Apr 2003
  • Poruke: 5815
  • Gde živiš: u Zmajevom gnjezdu

Matthew Broersma
November 28, 2003, 17:30 GMT

A new IE bug could allow attackers to invade a user's PC, but a fix is not yet available

Danish security firm Secunia is warning of a set of security flaws in Internet Explorer 6 that, used together, could allow an attacker to execute malicious code on a user's PC.

The flaws were reported this week by researcher Liu Die Yu, who posted the information on public security messaging boards, and appear to exist on PCs that are patched with the latest Microsoft security updates. Users are advised to switch off active scripting in Internet Explorer until a patch becomes available, or to use a non-IE browser.

Instructions on disabling active scripting -- which may keep some sites from functioning properly -- are available from CERT, a US security advisory organisation.

One of the flaws is a cross-site scripting vulnerability, allowing scripts from one security domain (such as the Internet) to execute with the security privileges of another domain (such as My Computer).

Secunia said it had verified the flaw on IE 6, but the problems may affect earlier versions of the browser. "Other versions may also be affected, and have been added (to the advisory) due to the criticality of these issues," the company said in a statement.

Microsoft has said it is investigating the issue, and may issue a fix as part of its monthly patch release, or separately, depending on the severity of the problem. Microsoft's last cumulative monthly patch was issued on 12 November.


Objasnjenje sledi:

Three vulnerabilities that involve the cross-domain security model of Internet Explorer, which keeps windows of different domains from sharing information. These vulnerabilities could result in the execution of script in the My Computer zone. To exploit one of these vulnerabilities, an attacker would have to host a malicious Web site that contains a Web page that is designed to exploit the particular vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message that designed to exploit one of these vulnerabilities and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited one of these vulnerabilities could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.

A vulnerability that involves the way that zone information is passed to an XML object within Internet Explorer. This vulnerability could allow an attacker to read local files on a user's system. To exploit this vulnerability, an attacker would have to host a malicious Web site that contains a Web page that is designed to exploit the particular vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message that is designed to exploit this vulnerability and persuade the user to view the HTML e-mail message. After the user visits the malicious Web site or views the malicious HTML e-mail message, the user would then be prompted to download an HTML file. If the user accepts the download of this HTML file, an attacker could read local files that are in a known location on the user's system.

A vulnerability that involves performing a drag-and-drop operation during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicks a link. No dialog box would request that the user approve this download. To exploit one of these vulnerabilities, an attacker would have to host a malicious Web site that contains a Web page that has a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that has a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice could be saved on the user's computer in a targeted location.


Pa onda dalje kazu da treba otici na:
http://www.microsoft.com/technet/treeview/default......03-048.asp

i skinuti update.



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • Pridružio: 20 Apr 2003
  • Poruke: 2091
  • Gde živiš: Novi Sad

sta drugo reci nego OPERA :-D (Mozilla/Netscape)



offline
  • Goran 
  • Prof.Mr.Dr.Sci. Traumatologije
  • Pridružio: 05 Maj 2003
  • Poruke: 9977
  • Gde živiš: Singidunum

Jel može neki put za promenu malo, ako se već dođe do toga da je moranje promeniti internet browser, ljudima preporuči nešto novo, a ne samo ova tri pomenuta već daleko poznata internet browsera, a mnogi i sami znaju da ih nađu.
Evo za promenu, ja ću toplo da predložim jedan novi internet browser koji se zove "Avant Browser". Brz i stabilan, već ga neko vreme koristim i prilično sam zadovoljan bez zamerki.
Pa, ko voli nek izvoli. Smile

offline
  • mire  Male
  • Elitni građanin
  • Pridružio: 18 Apr 2003
  • Poruke: 2282
  • Gde živiš: Beograd

ovaj ...

avant browser _je_ internet explorer ...

samo sa sminkom i par dodatnih stvari

iz faq-a

"
Is Avant Browser a secure browser?

Yes, Avant Browser is secure. Since it's based on Internet Explorer, Avant Browser is as secure as Internet Explorer. Avant Browser supports all SSL secured websites. Avant Browser's encryption length is the same as Internet Explorer's.
"

offline
  • AxeZ 
  • Legendarni građanin
  • Pridružio: 17 Apr 2003
  • Poruke: 3989
  • Gde živiš: Novi Sad, Vojvodina

Ma najbolji je YU Browser

http://www.pctv.rs/internet/yu_browser.htm


Auuu, cek, i to je IE...Pecooooooooo

offline
  • Goran 
  • Prof.Mr.Dr.Sci. Traumatologije
  • Pridružio: 05 Maj 2003
  • Poruke: 9977
  • Gde živiš: Singidunum

I da dodam da Avant Bowser koristi za trećinu manje resursa od IE-a

offline
  • mire  Male
  • Elitni građanin
  • Pridružio: 18 Apr 2003
  • Poruke: 2282
  • Gde živiš: Beograd

avant koristi najobicniju ie activex kontrolu, koju je vrlo verovatno koristio i pecin browser ...

cak sam i ja svojevremeno napravio kreaciju u delphi-u sa istom kontrolom

instant browser ... kad moze i kafa ...

offline
  • Peca  Male
  • Glavni Administrator
  • Predrag Damnjanović
  • SysAdmin i programer
  • Pridružio: 17 Apr 2003
  • Poruke: 23083
  • Gde živiš: Niš

AxeZ ::Ma najbolji je YU Browser
http://www.pctv.rs/internet/yu_browser.htm
Auuu, cek, i to je IE...Pecooooooooo


bese to '99...
ne odgovaram za Pecu iz te godine Smile

offline
  • Goran 
  • Prof.Mr.Dr.Sci. Traumatologije
  • Pridružio: 05 Maj 2003
  • Poruke: 9977
  • Gde živiš: Singidunum

Sad kad si promenio "dres" sad kudiš stari tim, eeeee Peki Smile

Ko je trenutno na forumu
 

Ukupno su 200 korisnika na forumu :: 3 registrovanih, 1 sakriven i 196 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Dorcolac, Eyes Wide Shut, vathra