Enterprise Software

A pair of new Internet Explorer threats are currently unpatched

Here are the details on some serious new flaws in Microsoft Internet Explorer.

Two new Internet Explorer threats haven't been patched. Since one of them is addressed in Windows XP Service Pack 2, it may not be patched until the release of that Service Pack.

In other news, the first cell phone virus has been detected, as discussed at the bottom of this article.

Details

US-CERT Vulnerability Note VU#713878 describes a newly discovered vulnerability (CAN-2004-0549) in Microsoft's Internet Explorer that is due to a failure to properly validate the source of a redirected frame.

Public exploits of this were initially reported by Rafel Ivgi on June 8, and Jelmar conducted a detailed analysis of the vulnerability. Secunia has confirmed the existence of the two IE threats in fully patched IE 6 browsers.

The first vulnerability is a variant of the Location: identifier for local resource access, which a specially crafted URL can use to trick Explorer.

The second, which is also described by US-CERT in its Vulnerability Note, is a cross-zone scripting error. This can allow malicious code to run in the Local Machine security zone.

In addition, IE and Opera browsers are vulnerable to a URL spoofing trick. This was initially published June 10. Securitytracker.com reports that Opera 7.51 and IE 6 are both vulnerable to a URL parsing error for any address containing the "%2F" character.

For more information and resources on IE security, see these links:

Applicability

The latest fully patched version of Microsoft Internet Explorer 6.0 and possibly some earlier versions of IE 6 are affected.

Risk level—Extremely critical (Secunia rating)

A successful attack only requires tricking someone to visit a malicious Web site; execution is automatic. This would allow an attacker to run arbitrary code with the same privileges as the browser user.

This combination threat is apparently being actively exploited. Although I won't provide the URL known to be attacking systems through the exploit, it is found in several of the reports about these threats. (I don't recommend trying to visit the site except on a non-networked test machine.)

Mitigating factors

Windows XP SP2—currently scheduled to be released in July 2004—addresses the cross-scripting vulnerability.

Workarounds include disabling active scripting and Active X (especially for sites other than trusted sites) and filter location headers in proxy servers. CERT/CC Malicious Web Scripts FAQ provides details on disabling ActiveX in the "Internet Zone." Microsoft Knowledge Base Article 833633 shows how to secure the Local Machine Zone. Active scripting in Outlook can be disabled by installing the latest available updates.

Final word

It was a very confusing week trying to sort out which of these newly reported IE threats were actually new and which were duplicates, but, all-in-all, it wasn't a good week for Internet Explorer.


Also watch for…

  • Kaspersky Labs has reported finding the very first proof-of-concept network worm that spreads between cell phones. Designated "Cabir," this doesn't appear to carry any malicious payload and targets Symbian OS-powered cell phones, such as Nokia handsets, spreading via a Symbian distribution file disguised as a security utility. Launching the SIS file will cause the screen to display "Caribe" and the phone will begin scanning for all Bluetooth phones it can attack.
  • There is a critical update to MS04-011, but it won't affect very many readers since it apparently only applies to Windows NT 4.0 Workstation in Pan Chinese. This update needs to be installed even if the original patch was applied.
  • The-Insider has reported an IE null pointer vulnerability (mshtml.dll) that can cause any version of IE running on any Microsoft OS to crash when the user attempts to Save As an address string containing a specific character string. An exploit is provided. This threat also appears to affect Opera.
  • SecurityTracker reports the Linux Thy Web server has a remote crash (DoS) vulnerability. For more info, see the software's official Web site.
  • McAfee has settled a class action suit over VirusScan Versions 3 and 4. Until July 16, 2004, the company is distributing a free download of VirusScan version 8, AntiSpyware version 1.0, or QuickClean version 4.01. This is for those who are, or claim to be, U.S. residents. You can find the certification form here.
  • Panda has started the "1st Worldwide Internet Security Campaign" with the laudable goal of "ridding the world of viruses," but this is apparently just a set of written guidelines in multiple languages explaining general security steps (e.g., buy antivirus software, don't open attachments, etc.).

Editor's Picks