Three new IE vulnerabilities discovered |
 |
By Bill Brenner, News Writer
18 Nov 2004 | SearchWindowsSecurity.com |
|
|
Attackers could exploit two "moderately critical" vulnerabilities in Internet Explorer to bypass a security feature in SP2 and trick users into downloading malicious files, according to Danish security firm Secunia.
Secunia said in an advisory Wednesday that a researcher known as cyber flash discovered two vulnerabilities in Internet Explorer:
The first concerns a security feature in Windows XP SP2 that warns users of potential security issues when opening certain downloaded files. "If the downloaded file is sent with a specially crafted 'content-location' http header in some situations, then no security warning will be given to the user when the file is opened," the advisory said. The second problem is "an error when saving some documents using the Javascript function 'execCommand(),' which can be exploited to spoof the file extension in the 'save html document' dialog." To successfully exploit the second problem, the option "hide extension for known file types" must be enabled.
"A combination of vulnerability one and two can be exploited by a malicious Web site to trick a user into downloading a malicious executable file masquerading as an html document," Secunia said. "The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2."
Secunia recommends users disable active scripting support and the "hide extension for known file types" option.
In a second advisory Wednesday, the firm said researcher Keigo Yamazaki found a vulnerability in Internet Explorer a malicious person could use to conduct session fixation attacks. This vulnerability is not considered critical.
"The vulnerability is caused due to a validation error in the handling of the path attribute when accepting cookies," Secunia said. "This can potentially be exploited by a malicious Web site if the trusted site supports wildcard domains or the domain name contains the malicious site's domain, using a specially crafted path attribute to overwrite cookies for the trusted site."
The vulnerability has been reported in Internet Explorer 6.0 SP1 on Microsoft Windows XP SP1, but SP2 is reportedly not affected, the advisory said. The advisory also noted that successful exploitation requires that the trusted site handle cookies and authentication "in an inappropriate or insecure manner."
Secunia recommends users update to SP2 and disable cookies except when needed.
A Microsoft spokeswoman said the software giant is investigating the reported flaws.
"Microsoft is aware of the listing by Secunia of unfixed vulnerabilities found in Internet Explorer and continues to actively investigate these reports through the security response process," she said. "We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports. Upon completion of these investigations, Microsoft will take the appropriate action to further protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
As with past Secunia advisories, including the one about IE's IFRAME vulnerability, she said Microsoft is concerned the new report was "not disclosed responsibly," potentially putting computer users at risk.
"We continue to encourage responsible disclosure of vulnerabilities," she said. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
This article originally appeared on SearchSecurity.com.
|
