Two new Internet Explorer threats haven’t been patched. Since
one of them is addressed in Windows XP Service Pack 2, it may not be patched
until the release of that Service Pack.
In other news, the first cell phone virus has been detected,
as discussed at the bottom of this article.
Note VU#713878 describes a newly discovered vulnerability (CAN-2004-0549) in Microsoft’s Internet Explorer that is due
to a failure to properly validate the source of a redirected frame.
Public exploits of this were initially reported
by Rafel Ivgi on June 8, and Jelmar conducted a detailed analysis of the
vulnerability. Secunia has confirmed
the existence of the two IE threats in fully patched IE 6 browsers.
The first vulnerability is a variant of the Location: identifier
for local resource access, which a specially crafted URL can use to trick
The second, which is also described by US-CERT in its Vulnerability
Note, is a cross-zone scripting error. This can allow malicious code to run in
the Local Machine security zone.
In addition, IE and Opera browsers are vulnerable to a URL
spoofing trick. This was initially published June 10. Securitytracker.com reports
that Opera 7.51 and IE
6 are both vulnerable to a URL parsing error for any address containing the
For more information and resources on IE security, see these
XP Service Pack 2
with Internet Explorer 6 Security Settings
Your Browsing and E-Mail Safety
The latest fully patched version of Microsoft Internet
Explorer 6.0 and possibly some earlier versions of IE 6 are affected.
Risk level—Extremely critical (Secunia rating)
A successful attack only requires tricking someone to visit
a malicious Web site; execution is automatic. This would allow an attacker to
run arbitrary code with the same privileges as the browser user.
This combination threat is apparently being actively
exploited. Although I won’t provide the URL known to be attacking systems
through the exploit, it is found in several of the reports about these threats.
(I don’t recommend trying to visit the site except on a non-networked test
Windows XP SP2—currently scheduled to be released in July
2004—addresses the cross-scripting vulnerability.
Workarounds include disabling active scripting and Active X (especially
for sites other than trusted sites) and filter location headers in proxy
Malicious Web Scripts FAQ provides details on disabling ActiveX in the “Internet
Zone.” Microsoft Knowledge Base Article 833633 shows
how to secure the Local Machine Zone. Active scripting in Outlook can be disabled
by installing the latest available updates.
It was a very confusing week trying to sort out which of
these newly reported IE threats were actually new and which were duplicates,
but, all-in-all, it wasn’t a good week for Internet Explorer.
Also watch for…
reported finding the very first proof-of-concept network worm that
spreads between cell phones. Designated “Cabir,” this doesn’t
appear to carry any malicious payload and targets Symbian OS-powered cell
phones, such as Nokia handsets, spreading via a Symbian distribution file
disguised as a security utility. Launching the SIS file will cause the
screen to display “Caribe” and the phone will begin scanning for
all Bluetooth phones it can attack.
is a critical update to MS04-011,
but it won’t affect very many readers since it apparently only applies to
Windows NT 4.0 Workstation in Pan Chinese. This update needs to be
installed even if the original patch was applied.
- The-Insider has reported an IE null pointer vulnerability (mshtml.dll) that can
cause any version of IE running on any Microsoft OS to crash when the user
attempts to Save As an address string containing a specific character
string. An exploit is
provided. This threat also appears to affect Opera.
the Linux Thy Web server has a remote crash (DoS) vulnerability. For more
info, see the software’s official Web site.
has settled a class action suit over VirusScan Versions 3 and 4. Until
July 16, 2004, the company is distributing a free download of VirusScan
version 8, AntiSpyware version 1.0, or QuickClean version 4.01. This is
for those who are, or claim to be, U.S. residents. You can find the
certification form here.
has started the “1st
Worldwide Internet Security Campaign” with the laudable goal of “ridding
the world of viruses,” but this is apparently just a set of written
guidelines in multiple languages explaining general security steps (e.g.,
buy antivirus software, don’t open attachments, etc.).