Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account

New Critical Security Leaks in IE, Mozilla

  • Please log in to reply




  • Member
  • PipPipPip
  • 340 posts
Found this in Eweek.com, its what I read on the subway going into Manhattan.

High-Risk Flaws Flagged in IE, Mozilla
January 7, 2005

Security researchers have raised the alarm for a series of unrelated, high-risk vulnerabilities in Microsoft Corp.'s Internet Explorer and the open-source Mozilla browsers.

According to a Secunia advisory, the most serious IE flaw could be exploited by a malicious hacker to hijack a vulnerable machine, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP SP2.

ADVERTISEMENT Secunia rates the IE flaws as "extremely critical" and recommends that users opt for an alternative browser until Microsoft releases a comprehensive patch.

For its part, Microsoft has confirmed it is investigating a "Click and Scroll" issue in IE and has posted a temporary workaround to protect users from the flaw.

In a Knowledge Base article, the software company said the bug could make it possible for an attacker to put a malicious file on a PC if a user visits a Web site.

Microsoft recommends that users install the most recent cumulative fix for IE and disable the "drag-and-drop" or "copy-and-paste files" option across a domain.

The vulnerability occurs because of insufficient validation of drag-and-drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. Secunia said this can be exploited by malicious Web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

Another unpatched IE flaw could allow an embedded HTML Help control on a malicious Web site to execute local HTML documents or inject arbitrary script code.

"Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the 'Local Computer' zone using an HTML Help shortcut," Secunia reported.

A third vulnerability exists in the handling of the "Related Topics" command in an embedded HTML Help control. Secunia said this bug can be exploited to launch harmful script code in the context of arbitrary sites or zones.

The company has posted a vulnerability test online to demonstrate the flaws.


The updated IE warning comes on the heels of a Bugtraq advisory for multiple flaws in Mozilla, Firefox and Thunderbird products.

The volunteer Mozilla Foundation has rolled out new versions to patch the holes, which range from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.

According to the advisory, a potentially exploitable buffer overflow was discovered in the way Mozilla and Firefox handle NNTP URLs.

The Mozilla Team also fixed a way of spoofing filenames in the "What should Firefox do with this file" dialog-box option.

"A remote attacker could craft a malicious NNTP link and entice a user to click it, potentially resulting in the execution of arbitrary code with the rights of the user running the browser," the advisory read.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
  • 0




    Founder Geek

  • Community Leader
  • 24,594 posts
MS is releasing three Windows updates next week, one considered critical. I believe all the FF issues have been corrected in the latest version.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 340 posts
Ok, thanx for the heads-up..I needed one of the updates and now I can look for the next series you just mentioned, the news I seen was posted 1/7 so I figured it was new.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP