Channel News and Analysis - Channel Insider

 


Vizard: IBM Gets Principled About the Channel
Big Blue looks to improve its reputation with a Principles of Engagement document governing how internal salespeople deal with the channel.
 

Serious IE Hole Opens PCs Up to Attacks

DATE: 2004-11-04
By Matthew Broersma

Article Rating:starstarstarstarstar / 0

Rate This Article:
Poor Best
Add This Article To:
The Internet Explorer flaw, which has been published on public mailing lists, allows attackers to take control of a PC via an HTML e-mail or malicious Web page.

US-CERT on Wednesday warned of a fresh hole in Internet Explorer that could allow attackers to take control of a PC via an HTML e-mail message or a malicious Web page. The flaw is all the more serious because exploit code has been published on public mailing lists, according to security researchers.

The flaw, a heap buffer overflow, is in the way IE handles two attributes of the "frame" and "iframe" HTML elements. An exploit currently circulating uses overly long SRC and NAME attributes to cause IE to execute an attacker's shell code, according to US-CERT.

Read here why Peter Coffee says IE flaws should come as no surprise.

Users could be attacked via a malicious Web page viewed in an affected version of IE or possibly through an HTML e-mail viewed in an application such as Outlook, Outlook Express, AOL or Lotus Notes that relies on the WebBrowser ActiveX control, according to researchers.

The bug has been confirmed in IE 6.0 on Windows XP with SP1 and all patches installed, as well as the same browser on a fully patched Windows 2000, according to an advisory from security firm Secunia. Microsoft Corp. has not yet released a patch.

Windows XP systems running Service Pack 2 do not appear to be affected, researchers said. Apart from installing SP2, system administrators can lessen the danger of an attack by disabling active scripting, avoiding unsolicited links that may lead to a malicious Web page and rendering e-mails in plain text, US-CERT said. Updated anti-virus programs may also be able to prevent some exploit attempts.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

The fact that fully patched SP1 systems are vulnerable to the flaw, while SP2 systems are not, appears to show that the work put into Microsoft's security-oriented update is paying off. A spoofing flaw in IE publicized over the weekend also affects pre-SP2 systems but is largely disabled by the service pack.

Check out eWEEK.com's for the latest security news, reviews and analysis.



Discuss Serious IE Hole Opens PCs Up to Attacks
 
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Channel News and Analysis Articles          >>> More By Matthew Broersma
 



 
CHANNEL DEEP DIVES
CareersLinux and Unix
Computer NetworkingPrinters
SecuritySMB Partner
StorageSurveys
Solution BuilderMessaging/Collaboration
Dell ResellersMicrosoft Partners

 
 

SIGN UP FOR CHANNEL INSIDER NEWSLETTERS
Reliable, timely information on the business of technology. Sign up now.

RSS SUBSCRIPTIONS
XML
Add Channel News, Product Reviews, Trends and Analysis to your RSS newsreader or My Yahoo!

ZDE Services
> Ziff Davis White Paper Library

> Baseline ROI Calculators

> eWEEK Labs RFPs and Tools

 
CHANNEL RESOURCE CENTER
HP StorageWorks Scalable NAS is highly available, scalable network-attached storage for any industry solution. To learn how you can take full advantage of fault-tolerant NAS that seamlessly scales capacity and performance, visit: http://www.hp.com/go/scalablenas


Feature Video: What Can Green Do For You?
There are many ways that systems can be run faster or more efficiently, using less energy and thereby reducing costs. Watch now!
Microsoft-hosted solution offers you advanced customer relationship management capabilities without a major investment in IT and staffing.
Try It for free for 30 days!
 

 
   Sponsored Links     
 

  • Avoid the crash. Arm your Road Warriors with SSD
  • Get FREE online training modules from BlackBerry.
  • Bundles with room to grow and room to go!
  • Simplify your data center with Juniper Networks.
  • Free BlackBerry(R) Training Tour. Win a Smartphone.
  • Download Free Report: 2008 Internet Malware Trends
  • Request a Novell/Microsoft deployment kit.
  • Latitude E6400: Dell’s longest battery life yet.
  • Improve the customer experience with Dialogue
  • Meet the demand for green technology with HP desktops
  • Download the “Best Antivirus Product of 2007”


    •    Channel Insider      Contact Us | Advertise | Site Map | VARs | System Builder
    eWEEK Quick LInks Storage Devices | Networking Security | Network Infrastructure | Wireless Networking | Database Management Systems | PC Desktops | Web Programming | Enterprise Solutions Linux Operating Systems | Mac Operating System | Mobile Messaging | Internet Telephony Microsoft Windows News | Google Watch | IBM Watch

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | ROI Calculators | Tech Video

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Channel Insider is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise, Inc. is prohibited.