IE6 and Sp2 vulnerability

[gitreel]

Fortunately for me I don't use Ie6.

Drag-and-drop flaw mars Microsoft's latest update
By Robert Lemos
CNET News.com
August 20, 2004, 1:04 PM PT
Add your opinion

Forward in Format for Sign up for

An independent researcher warned that an Internet Explorer vulnerability could turn drag-and-drop into drag-and-infect, even on computers updated with Microsoft's latest security patch.

The flaw affects the latest version of Internet Explorer running on Windows XP, even after the latest major update--known as Service Pack 2--is applied. An attacker using the flaw could install a program on a victim's computer after convincing the person to visit a malicious Web site and click on a graphic.

The attacker's program would be placed in the Windows startup folder and would run the next time the user restarted the computer. The security researcher who discovered the flaw, known by the online nickname "http-equiv," posted an example to show the power of the flaw.


"If you look at the Web page, all you see are two red lines and an image; drag the image across the two lines and drop it," he said. "What you have actually done is drop (a program) into your startup folder. Next time you switch the computer on it runs the program."

Security information company Secunia believes the program that takes advantage of the issue could be simplified to only require a single click from the user. Secunia rated the flaw as "highly critical," its second-highest rating of vulnerability threats.

Microsoft said the issue did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site.

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

Security researchers predicted that vulnerabilities would quickly be found in Windows XP Service Pack 2, or SP2. The drag-and-drop flaw is perhaps the most serious found to date in computers that have been patched with Microsoft's major security update.

Service Pack 2 promises to add better security to Windows XP's handling of network data, program memory, browsing activity and e-mail messages, by changing the system's code and configuration. A revamped firewall, for example, attempts to prevent malicious applications on a PC from connecting to the Internet by requiring that the user give specific permission for each attempt.

The SP2 software, which took almost a year to develop, is seen by many as a response to the attack launched by the MSBlast worm on Aug. 11, 2003. Almost 26 days before, Microsoft had issued a patch for the security hole exploited by the worm. However, many people did not install the fix, even though there was widespread expectation that a virus would be created to take advantage of the flaw.

Ironically, this time around, most people have not had a chance to update their computers with the security patch. The update became available only on Wednesday and will require almost a month to reach every Windows XP user who wants the software, Microsoft said.

Even so, security researcher "http-equiv" believes that the software giant's latest patch does its job.

"The patch really does lock down the machine nicely, and whatever anyone finds now will be completely different to the previous year's findings," he said.

[Faustus]

I always have a hard time calling it a really big flaw when it requires user interaction. Sure its not a good one since from the description there is no clue what your doing is affecting your system (of course Im assuming this since I've not seen the page)

But heck I've seen things almost as stupid as... "If a user goes to a webpage then follows the diretionsn and types the following commands it crashes the system, this is yet another horrible windows security flaw!"

I mean come on!

[IAIHMB]

Meh, thats something people should be prepared for anyways. WinPatrol would stop that before it even starts by notifying the user within 3 minutes of that thing being added to startup. :P Anyone who was expecting Internet Explorer to be secure needs to think a little harder.

[gitreel]

Yeah Flaystus,

You are right.

You are never really safe, but if you take precautions, you can minimize your exposure and risks.

[Faustus]

Then when they are done thinking go get Firefox.

No software is safe, nothing is 100%.

99% of the problem is people select software like cattle. "Well it came with IE so it must be good enough"
















moo

[thecoalman]

But if you think about it something like that can be set up to look like a game.......yeaaaaaa you win you punched the monkey.

[gitreel]

I tried firefox about eight months ago, and loved it.

I don't use anything else.

[IAIHMB]

There will always be security issues, but things seem to become a little more secure once you've took some time and learned about them. :P Back in the day I dreaded spyware, now I've gotten use to what is and what isn't going to infect me, although that talking purple guerilla was pretty entertaining. :P

[gitreel]

You liked bonzi buddy....uggggggghhhhhh.

[Faustus]