Two new Internet Explorer threats haven’t been patched. Since
one of them is addressed in Windows XP Service Pack 2, it may not be patched
until the release of that Service Pack.

In other news, the first cell phone virus has been detected,
as discussed at the bottom of this article.

Details

US-CERT Vulnerability
Note VU#713878
describes a newly discovered vulnerability (CAN-2004-0549) in Microsoft’s Internet Explorer that is due
to a failure to properly validate the source of a redirected frame.

Public exploits of this were initially reported
by Rafel Ivgi on June 8, and Jelmar conducted a detailed analysis of the
vulnerability. Secunia has confirmed
the existence of the two IE threats in fully patched IE 6 browsers.

The first vulnerability is a variant of the Location: identifier
for local resource access, which a specially crafted URL can use to trick
Explorer.

The second, which is also described by US-CERT in its Vulnerability
Note, is a cross-zone scripting error. This can allow malicious code to run in
the Local Machine security zone.

In addition, IE and Opera browsers are vulnerable to a URL
spoofing trick. This was initially published June 10. Securitytracker.com reports
that Opera 7.51 and IE
6
are both vulnerable to a URL parsing error for any address containing the
“%2F” character.

For more information and resources on IE security, see these
links:

Applicability

The latest fully patched version of Microsoft Internet
Explorer 6.0 and possibly some earlier versions of IE 6 are affected.

Risk level—Extremely critical (Secunia rating)

A successful attack only requires tricking someone to visit
a malicious Web site; execution is automatic. This would allow an attacker to
run arbitrary code with the same privileges as the browser user.

This combination threat is apparently being actively
exploited. Although I won’t provide the URL known to be attacking systems
through the exploit, it is found in several of the reports about these threats.
(I don’t recommend trying to visit the site except on a non-networked test
machine.)

Mitigating factors

Windows XP SP2—currently scheduled to be released in July
2004—addresses the cross-scripting vulnerability.

Workarounds include disabling active scripting and Active X (especially
for sites other than trusted sites) and filter location headers in proxy
servers. CERT/CC
Malicious Web Scripts FAQ
provides details on disabling ActiveX in the “Internet
Zone.” Microsoft Knowledge Base Article 833633 shows
how to secure the Local Machine Zone. Active scripting in Outlook can be disabled
by installing the latest available updates.

Final word

It was a very confusing week trying to sort out which of
these newly reported IE threats were actually new and which were duplicates,
but, all-in-all, it wasn’t a good week for Internet Explorer.


Also watch for…

  • Kaspersky
    Labs has
    reported
    finding the very first proof-of-concept network worm that
    spreads between cell phones. Designated “Cabir,” this doesn’t
    appear to carry any malicious payload and targets Symbian OS-powered cell
    phones, such as Nokia handsets, spreading via a Symbian distribution file
    disguised as a security utility. Launching the SIS file will cause the
    screen to display “Caribe” and the phone will begin scanning for
    all Bluetooth phones it can attack.
  • There
    is a critical update to MS04-011,
    but it won’t affect very many readers since it apparently only applies to
    Windows NT 4.0 Workstation in Pan Chinese. This update needs to be
    installed even if the original patch was applied.
  • The-Insider has reported an IE null pointer vulnerability (mshtml.dll) that can
    cause any version of IE running on any Microsoft OS to crash when the user
    attempts to Save As an address string containing a specific character
    string. An exploit is
    provided
    . This threat also appears to affect Opera.
  • SecurityTracker
    reports
    the Linux Thy Web server has a remote crash (DoS) vulnerability. For more
    info, see the software’s official Web site.
  • McAfee
    has settled a class action suit over VirusScan Versions 3 and 4. Until
    July 16, 2004, the company is distributing a free download of VirusScan
    version 8, AntiSpyware version 1.0, or QuickClean version 4.01. This is
    for those who are, or claim to be, U.S. residents. You can find the
    certification form here.
  • Panda
    has started the “1st
    Worldwide Internet Security Campaign
    ” with the laudable goal of “ridding
    the world of viruses,” but this is apparently just a set of written
    guidelines in multiple languages explaining general security steps (e.g.,
    buy antivirus software, don’t open attachments, etc.).