A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says.
Oy Online said it notified Microsoft Corp. of the security hole relating to the Gopher protocol on May 20 but the software giant has yet to produce a software patch to fix the problem.
Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know.
Oy Online have not released the full details of the exploit to prevent exploitation, but some details have been published on their site. The attack can be launched via a web page or an HTML mail message which redirect the user to a malicious gopher server when the victim views them. The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack.
A partial workaround has been documented :-
News source: Yahoo AP News
View: Oy Online Security Bulletin - Buffer overflow in Microsoft Internet Explorer gopher code
View: Test whether you are vunerable...
Oy Online said it notified Microsoft Corp. of the security hole relating to the Gopher protocol on May 20 but the software giant has yet to produce a software patch to fix the problem.
Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know.
Oy Online have not released the full details of the exploit to prevent exploitation, but some details have been published on their site. The attack can be launched via a web page or an HTML mail message which redirect the user to a malicious gopher server when the victim views them. The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack.
A partial workaround has been documented :-
- An easy way to disable processing and displaying gopher pages is to define a non-functional gopher proxy in Internet Options. Select Tools -> Internet options -> Connections. Click on "LAN settings". Check "Use a proxy server for your LAN". Click on "Advanced...". Here you can define proxy servers to be used with different protocols. Go to the Gopher text field and enter "localhost", and "1" in the port text field. This will stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher proxy settings (or restore them to values they had before).
News source: Yahoo AP News View: Oy Online Security Bulletin - Buffer overflow in Microsoft Internet Explorer gopher code View: Test whether you are vunerable...
What's new in version 1.6?
+ Transparency for the menu, taskbar, toolbars in Win2k/XP.
+ New options for the main menu and tasbar.
+ Now, the "StayOnTop" option separate for taskbar and toolbars.
* Fixed bugs with applications' autoload from the registry,
the "RunOnceEx" key is now supported (important for IE setup
and Windows Update).
* Fixed bug with transparency in notebook.
+ New context menu for the desktop elements.
* Fixed bug with "Computers' find" in Win NT4, Win98.
* Fixed bug with "application toolbars" in Win XP.
+ Assigned font for the "tip of the day".
* Fixed bugs with some applications: ZoneAlarm, 602 office, "multimedia
keyboard" utility.
* Fixed bug in "Popup folder" with long filename.
+ Added new utility SHDOCTOR, which can easy prevent "shell not found"
problem in Win9x/ME.
* Fixed bugs with Theme Wizard with theme creation and removal.
+ 256-colors video modes are now supported.
+ Now, "Recyle bin" icon renews automatically in Win 98, (and
NT4, Win 95 with IE 4.0 or later).
+ Keyboard layout indicator is now supported XP.
* Fixed bug: the taskbar covers up the portion of screen in "Half-Life".
* Fixed bug with drag'n'drop in main menu setup.
* Fixed bug with "Cut" - "Cancel" in setup.
* Fixed bug with wallpapers' setup.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.