Two years after patch, a new IE5/6 FTP flaw

A flaw in the way Microsoft's Internet Explorer (IE) browser processes FTP commands could let attackers steal or erase data from a victim's FTP site.

The bug, which affects users of IE6 and the unsupported IE5 browser, gives an attacker a way of hijacking the victim's FTP sessions. But a successful attack would be very hard to pull off and would only work in very precise and targeted attacks, security experts said.

The attacker would need to know the victim's user name on the FTP server and the victim would have to already be logged into the server, using IE. Under those conditions, the victim could be sent a malicious FTP link that would then execute commands on the victim's FTP server.

This link could be sent to the browser via an invisible iFrame component, hidden on a malicious website, so the victim might not even know the attack was taking place. "It's something that people could use to steal data, but you'd have to know your target," said Derek Abdine, the principal software engineer with security vendor Rapid7, who unveiled the issue in a security advisory.

View: Full Article @ TechWorld

Report a problem with article
Previous Story

RealPlayer flaw: Stop using Internet Explorer

Next Story

Paint.NET v3.30 Beta 2

14 Comments

Commenting is disabled on this article.

After all this time, if you haven't upgraded to IE 7 yet it's your own fault if you fall victim to something like this.

so they created firefox because internet explorer 5 and 6 have flaws. that seems like a terrbile reason to make a new browser. that's why that isn't the reason firefox was created, bascially you are wrong.

FireFox was created for people who are on the "I hate IE for no real reason since it works fine but it's a Microsoft product" bandwagon.

And OS X users who want a browser that works.

(C_Guy said @ #5.2)
FireFox was created for people who are on the "I hate IE for no real reason since it works fine but it's a Microsoft product" bandwagon.

And OS X users who want a browser that works.

Firefox (mozilla) exists for Linux users who cannot use Microsoft's wonderful browser, either.

(C_Guy said @ #5.2)
FireFox was created for people who are on the "I hate IE for no real reason since it works fine but it's a Microsoft product" bandwagon.

You really cant see how crap IE is? IE7 was a step in the right direction but was still behind FF2. FF3b4 has been rock solid for me and I love the new features (better memory manager, download manager, awesome bar, faster rendering, Weave). I like MS but hate IE and havent used it for years outside of work.

(C_Guy said @ #5.2)
FireFox was created for people who are on the "I hate IE for no real reason since it works fine but it's a Microsoft product" bandwagon.

And OS X users who want a browser that works.

You obviously have been too ignorant to ever read a reason why IE has been so bad in the past. It's absolutely CRAP for developers. It seriously wastes tens of millions of dollars on resources every year because programmers have to spend time to write workarounds for IE.

No one should be using IE5 as their primary browser anyway.

If you're using Win98SE or WinMe, IE6 has been out for a while. Under no circumstance should anyone be using anything older than Win98SE.

Actually, no one should be using anything but Windows 5 or newer. If your system is too slow for Win2000 or XP, you really need to spend the $100 to get a different system.

IE5? Ha! Only Windows 98 and ME users would use that! Of course, they could upgrade to IE6...

I wonder if this also affects IE 5.5 since it just said IE5 and IE6...

Improbable The likelihood that a hacker (a) finds a target still using IE5/IE6 and (b) knows their FTP login name... the probability of that seems quite low.

Edit: Forgot to add ( c) the fact that they use IE to access their FTP instead of any the numerous free or paid FTP software.

(LipSmacker said @ #1)
Improbable The likelihood that a hacker (a) finds a target still using IE5/IE6 and (b) knows their FTP login name... the probability of that seems quite low.

Edit: Forgot to add ( c) the fact that they use IE to access their FTP instead of any the numerous free or paid FTP software.

This would be a threat to SOHO business who do not enforece proper security procedures.