Security advice firm Secunia has released information concerning a new flaw with Microsoft's web browser, Internet Explorer.
The exploit allows cross site scripting attacks to be performed on users. In the scenario that Secunia have published, users can follow a link to xyz.com, have xyz.com in the address bar yet have content being fed to the browser from another site. Clicking on the "Pad-lock" SSL icon in the bottom corner of internet explorer also reveals xyz.com.
The problem is caused by "DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site". The issue affects the most recent releases of Internet Explorer 6.0, including Service Pack 2 patched systems. To avoid the exploit affecting you, it's advised that you disable ActiveX. Microsoft have yet to comment or release a patch for the problem.
Other browsers are not affected.
View: Secunia Advisory
The exploit allows cross site scripting attacks to be performed on users. In the scenario that Secunia have published, users can follow a link to xyz.com, have xyz.com in the address bar yet have content being fed to the browser from another site. Clicking on the "Pad-lock" SSL icon in the bottom corner of internet explorer also reveals xyz.com.
The problem is caused by "DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site". The issue affects the most recent releases of Internet Explorer 6.0, including Service Pack 2 patched systems. To avoid the exploit affecting you, it's advised that you disable ActiveX. Microsoft have yet to comment or release a patch for the problem.
Other browsers are not affected.
View: Secunia Advisory
What's new in 1.1:
- Faster Searches
- Better auto-configuration when you first install gdSuite (it actually works now!)
- A large number of other enhancements, speed-ups, bug fixes, and tweaks. For example, gdSuite now detects if Google Desktop is running, and if it isn't, gdSuite offers to start it for you.
What's being said about gdSuite
“[gdSuite] bring[s] Google closer to creating an interface that Microsoft is likely to deliver.” - NewsFactor
“gdSuite … gives Google Desktop Search an interface, and some much needed advanced features” - InsideGoogle
“I'm glad to have the additional options for those times when Google Desktop doesn't find exactly what I needed quickly” - SearchEngineWatch, on gdSuite
http://www.ubergeek.tv/article.php?pid=74
As Tom just said, if you have questions or problems, take it up via PM.
EDIT: Sorry, Tom...
Last edited by 36818 on 17 Dec 2004 - 16:30
I said to take it up in PM, and I bloody well mean it.
Last edited by 36818 on 17 Dec 2004 - 18:59
Last edited by 36818 on 18 Dec 2004 - 03:02
<< removed link - unnecessary >>
Last edited by 36818 on 17 Dec 2004 - 14:53
Go to http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
Click Tools, Manage Add-Ons...
Select 'DHTML Edit Control Saf...'
Select the disabled radio control and click OK.
(that being essentially what secunia are)
will greatly reduce the attack surface.
In summary, it is my opinion Secunia is once again trying to make huge fuss over
an issue that is serious, but not that critical at all.
Edit: Also, as Xeron already pointed out, there is a work-around.
Before loading any ActiveX control, users are presented with a dialog that explains them that it could compromise their machine.
It's obvious that amazon.com or paypal.com or citibank.com or whichever trustable site won't have content feeded from hacker sites... and the "the address in the address bar is different" trick only works when the URL is from a trustable, known site.
[edit] Forget it, I read the security report wrongly :$
Last edited by 21512 on 17 Dec 2004 - 20:23
www.illownjoo.com setups up a webpage that looks like paypal payment page. Using the enclosed bug, they can fake their url and SSL identification to show "www.paypal.com" and collect that users paybal account details.
A situation where this could be used is for example a webstore that claims to use paypal for payments, but when using "checkout" user could be directed to "www.illownjoo.com" and the url would show "www.paypal.com"...
You cannot do that with just by modifying some divs.
Sorry!
I use avant, so theoretically it will suffer all the problems i.e does, but you know what, i don't care, it works and i'm happy with it. There are many alternatives, so instead of bitching or whatever, read this news, go to www.mozilla.org and get firefox.
Hehe, spoken like a true IE fan
While I agree that he should care about issues like these, I 100% agree with his closing that people have a choice. They should use what they prefer and quit bitching and whining.
EDIT: Why did the news section place my post above #9.2? This one is 6 minutes later than Jugalator's...
That maybe so but unlike the rest of the rabid firefox dweebs who go seem to go into some rabid preach about firefox the minute any flaw is "discussed" he has suggessted firefox as an alternative, He prefers to use IE/Avant that is their choice I have used firefox and i think it is WAY overrated and i personally don't use it. I will not state my browser of preference to reduce the flames that are generated (Suffice to say it is not IE)
Oh and BTW i tried this "flaw" on my XP SP1 box and guess what it did not work as my firewall blocked the activex script and denied access to it, gee i am so at risk!!!
opinions are like A**holes, everyones got one but noone wants you to air them in public
Also, in regards to your test of the flaw on your machine: your result means nothing. This is a verified flaw, wether your system displays it or not.
They do this with every flaw they find in any OS Program and so on, and I'm sick of it. [end rant]
Then why do they publish Firefox bugs too? If they know that Firefox will fix things since it is open source, why would they choose to openly disclose it before going to Firefox first.
Oddly enough, their test didn't work on my Windows 2003 box ("hardened" mode off). It actually showed Paypal's site rather than their custom "you could've just been hacked" page.
I compared this against a WinXP SP2 machine I have around here and that one showed the hacked page. I haven't played with it too much, but either the "workaround" is already in effect on 2003 or it's something simple enough that a quick flag change in some other security setting would just fix.
"Disable ActiveX"
Yeah, great. How do you use Windows Update without it (pretty much the only thing I use IE for, apart from checking a site I've made renders correctly)?
Similar to "Disable scripting" only that ActiveX (in IE) is a bugridden crapheap, whereas JavaScript isn't, but IE can't seem to sandbox code in any way shape or form...
---Begin copying with the following line but change / to backslash ---
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/ActiveX Compatibility/{2D360201-FFF5-11d1-8D03-00A0C959BC0A}]
"Compatibility Flags"=dword:00000400
---End copying with the line above---
In other words, this is really not an IE vulnerability, except to the extent that the DHTML Editor Control "comes with" every copy of IE.
Last edited by 62072 on 18 Dec 2004 - 21:44
SurfinGuard is actually the only reason i stick with IE
I don't see any firefox links anymore.
lol!
This is why I convert as many "Harry Home-owner" users to Firefox as a matter of urgency; quite simply, it's got by far the better security record; the extra functionality is almost irrelevant (but not unappreciated).
The point is; prevention is always better than cure, and that's the philosophy for which, in my opinion, it is best to abide to for the best chance of a secure online existence.
Last edited by 46870 on 18 Dec 2004 - 09:08
What crap are you spouting? ThaCrip was just informing users of a far better alternative browser, Firefox. You call that forcing opinion on others? He stuck a gun up your arse? How about M$ monopolizing the market through unfair practices?- that is what I call forcing.
No one forces you to use Windows. You can buy an Apple. Or you can install Linux and get rid of Windows.
What I don't understand is your hatred of Microsoft coupled with your usage of their products. Put your money where your mouth is and pick the "better" product and install Linux, since you have so much foul hatred for all things Microsoft.
I think the expression is called "put up, or shut up". If you try a non-Microsoft OS, then go running back to Windows, then I guess you should stop spouting off crap.
ThaCrip wasn't informing. He was using misleading rethoric to discredit IE. He was describing a program that can supposedly fix the security in other browsers, but the way it fixes it is by abandoning it. It's like offering suicide as a cure for cancer.
Last edited by 36818 on 18 Dec 2004 - 05:42
but in the end of the day... even though some websites dont display/funtion properly on FIREFOX (9out of 10 times is the website designers fault when this happeneds) it's just plain safer to use firefox.
and some common sence helps when going to shady websites
I think we should all log off and go sell flowers on our nearest streetcorner.
The internet, it is BROKENED!
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.