Enterprise Software

New vulnerabilities surface in IE, other browsers

Smaller threats continue to plague security managers with the usual flood of less-than-critical vulnerabilities and serious threats with products that have a smaller installed base. From new browser vulnerabilities to a problem with several media players, John McCormick has the details in this edition of the IT Locksmith.

Just like the gnats of summer, small threats are plaguing security managers: There's the usual flood of less-than-critical vulnerabilities as well as serious threats with products that have a smaller installed base. I've included some of the recent highlights this week based on their severity and the likelihood that they affect TechRepublic members. Of course, any threat is bad if it compromises your systems.


Microsoft has released a denial of service warning about Javaprxy.dll (a COM object), which can cause Internet Explorer to unexpectedly crash without causing other damage. The recommended workaround is to temporarily set all intranet and Internet security zones to High before running any ActiveX controls.

According to preliminary reports, the warning affects most IE versions after 5.01. However, this isn't a publicly known exploit, and no actual user reports of problems have emerged. For more information, check out Microsoft Security Advisory (903144).

A new spoofing vulnerability has also surfaced in Internet Explorer. But that doesn't mean users of other browsers are free to gloat—researchers have also discovered the Dialog Origin threats in IE for Macintosh, Opera, Safari, iCab, as well as the Mozilla family of browsers.

While these threats are only moderate, they affect a lot of browsers. To determine whether your browser is at risk, check out Secunia's Multiple Browsers Dialog Origin Vulnerability Test.

Those who complain so endlessly about IE should take note of a recent report from the Information Security Bulletin Web site, which explains why not everyone can switch to Firefox even if they're desperate to do so: One in 10 Web sites fails to provide access to non-IE browsers. For example, if you want to do business online with Lloyds insurance (or about 10 percent of commercial sites surveyed), you can't use Firefox because the site developer either doesn't support other browsers or includes IE-only code.

Unfortunately, this also means that if Microsoft cut out all of the non-standard features from IE, it would effectively shut down about one in 10 commercial Web sites. Of course, you could argue that they deserve what they get, but remember that these are real businesses that simply went with the world's standard browser's capabilities.

According to a Secunia report, several highly critical vulnerabilities have emerged in RealPlayer, RealOne, Helix Player, and Rhapsody that allow a remote attacker to erase local files or even take over a vulnerable computer. These vulnerabilities involve CAN-2005-1766, CAN-2005-2052, CAN-2005-2054, and CAN-2005-2055. Patches are available from the various vendors.

Finally, the French Security Incident Response Team (FrSIRT)—the French equivalent of CERT—has discovered vulnerabilities in Adobe Acrobat and Acrobat Reader for Macintosh 7.x. One is an input validation error, and the other is in the "updater."

The former is the worse threat because it could allow an attacker to launch arbitrary programs on the vulnerable machine via a PDF document containing malicious code. The threat would have serious consequences, but it's difficult to exploit because the attacker must know the exact location of a program—however, that description could include format or other system commands.

Final word

A column from India Daily might give you pause if your company is thinking of outsourcing anything to the subcontinent. Apparently, Indian law doesn't even consider some cybercrimes an actual crime, nor does it take identity theft seriously—at least, that's how I read the story.

As you read the article, consider that Bill Gates recently told listeners in Tokyo that they should be wary of the dangers of outsourcing. Perhaps he meant that the Japanese should only outsource to Redmond, not that Redmond shouldn't outsource to India. The last time I checked, Microsoft had done a bit of outsourcing itself, but I could be wrong.

Much of this week's remaining security news is either humorous or horrifying—depending on your point of view. I've placed it in the section below because these aren't threats you can do much about personally.

Also watch for …

  • "DVD Jon," the hacker who originally broke DVD encryption, took a full day to break Google's new Video Viewer. Apparently, it wasn't much of a challenge, but it could put a crimp in any plans Google had to start charging for watching videos.
  • Australia is prosecuting the first spammer under its new anti-spam law, which went into effect in April 2004. The authorities apparently relied on watchdog Spamhaus' spammer list. This is a federal case in Australia, and the maximum penalty for sending the alleged 56 million spam messages could run to $220,000 (Australian dollars) for every day the company violated the law, which authorities allege is about one full year. According to my calculations, that would run about $80 million.
  • The next time some TV news show touts a new pharmacy or hospital robot as being a great thing for patient safety, remember that a robot ran riot in San Francisco's UCSF Medical Center in June, frightening patients and staff—and even interrupting a medical procedure (fortunately not in the operating room).
  • The Supreme Court has ruled in favor of copyright protection and against file-sharing services. Consequently, you should remind users to never install P2P software on company machines, or they'll likely to join the 784 new targets of an RIAA suit. Check out News.com for the actual legal opinion.
    If you want my two cents, the ruling went against file-sharing services and said nothing about individual users, but they were already clearly in violation of copyrights. I might have more sympathy for the targets of the suits if virtually all of my personal property wasn't intellectual property.
  • Finally, for the sake of comprehensiveness—and in case you've been in a coma—I should probably mention that Atlanta-based CardSystems Solutions recently allowed the exposure of up to 40 million personal financial records. The problem apparently occurred up to nine months ago when a hacker penetrated an Arizona record processing center, and even MasterCard didn't become aware of it until May, even though they didn't see fit to share it with the rest of us until early June.
    I don't get it: Do these companies think people won't notice? Delays in notifying people of potential identity theft only compounds the problem.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox