Researcher Liu Die Yu has discovered multiple new and critical vulnerabilities in recent versions of Microsoft Internet Explorer. Microsoft has not yet released patches for these vulnerabilities, which mostly involve the way scripting is handled, but exploits are currently available on the Internet for hackers to use.
A number of other security issues also demand the attention of administrators, and as usual, you can read about those at the end of this article.
A report by Secunia details the IE threats as follows: "A redirection feature using the 'mhtml:' URI handler can be exploited to bypass a security check in Internet Explorer, which normally blocks Web pages in the 'Internet' zone from parsing local files."
Another threat is a cross-site scripting vulnerability. This can allow an attacker to run script code in the security zone if a Web page contains a subframe.
Another vulnerability can allow the attacker to hijack mouse clicks on a Web site and permit the attacker to hide the malicious activity from the user.
The original bulletins have been included in a list of 35 IE vulnerabilities at Safecenter.net, apparently maintained by Liu Die Yu.
The exact scope of this threat hasn't been completely clear at first, but the vulnerabilities definitely affect the latest versions of Internet Explorer, including IE 6. It probably also affects IE 5.01 and 5.5.
The combination of vulnerabilities probably should be rated “critical,” but because it’s also fairly easy to mitigate the threat, I’ve rated it “high.”
Secunia rates these vulnerabilities “extremely critical.” Perhaps they gave the threats a higher rating because the discoverer has also published exploits.
There are no existing mitigating factors, unless you routinely disable Active Scripting in IE.
Disabling Active Scripting can block these vulnerabilities. I trust that most admins probably know how to do this, but you may be able to save some time by providing your users with these simple directions provided by CERT. Of course, disabling Active Scripting can play havoc with the way some Web sites work.
Microsoft has not yet released any fixes for the vulnerability. You should keep a watch on Microsoft’s security site to see if the company has responded to this new and critical threat.
Perhaps because of the new monthly security update policy at Microsoft, these vulnerabilities were widely known before any Microsoft Security Bulletin was released. Even if patches are available by the time you read this, they will be brand new and untested by large numbers of users. That means they may contain bugs, as new patches often do.
Also watch out for …
- Cisco Systems has warned that Aironet 1100, 1200, and 1400 series access points can permit WEP keys to be transmitted in plaintext over SNMP-managed network servers. A patch is available.
- CNET’s News.com site reports that a flaw in the Linux kernel has caused the Debian Project to warn that attackers compromised four of the project’s development servers in mid-November. This was a privilege escalation attack and Debian has said that none of its open source code has been compromised. You can update to Debian version 2.4.23 to prevent this problem on your servers. The attacker worked through a compromised developer’s computer and successfully penetrated the bug tracking system, source code database, mailing lists, Web site, and security patch servers. Debian says that because it requires developers to include digital signatures, they were able to check the databases and found no problems.
- Gentoo Linux has taken one or more of its servers offline, apparently because of the same vulnerability that was exploited at Debian. A Gentoo security bulletin reports that the rsync.gentoo.org rotation server was compromised. Note that a quote from the Gentoo site says: “Gentoo Linux can become an ideal secure server.”
- If you’re experiencing problems with Symantec’s 2004 software, which includes a new product activation process, you’re not alone. ZDNet reports that some users find the software keeps demanding activation on every reboot and eventually locks up the system. Symantec says they have corrected the problem. On a personal note, I recently installed Norton Internet Security 2004 and have had repeated problems involving extremely intensive disk access, which caused a temporary denial of service event, and that’s just on a nonnetworked workstation. There is a patch for the registration problem posted on the Symantec site.
- A Pittsburgh court has accepted a plea bargain with a local hacker. Ken Patterson, a disgruntled former American Eagles Outfitters employee published confidential information, along with hacking instructions, for the company servers after he was fired. He has received a bill for $64,000 in restitution and a 1 1/2-year tour of the Federal penal system. I bring this up because it might be a good idea to post this story on an employee bulletin board or include it in any discharge packages just to remind people that the courts are passing out real, serious time and large fines for hacking even when the victims can’t actually document specific monetary damages. Actually, Mr. Patterson got a very light sentence because of a plea bargain. He could have been fined up to a quarter million dollars and received an 11-year jail sentence.
- News.com has reported that the next version of Microsoft Internet Explorer, due in 2004, will include a pop-up blocker. Many of you probably already have blocking software installed, but including it right in IE will greatly ease the maintenance chores of administrators, if Microsoft does it right.
- A Microsoft representative speaking at a recent cybersecurity conference in Wiesbaden, Germany, told the audience that virus writers are still winning the security war and costing the world’s IT resources about $13 billion every year.