IE May Share Shell Hole Found in Mozilla

Security firm Secunia reports four new "extremely critical" vulnerabilities in Internet Explorer that have some security experts asking whether any commercial browser can ever be secure.

On the same day that Microsoft released seven new security bulletins for the Windows operating system, four new "extremely critical" vulnerabilities in the Internet Explorer Web browser were announced Tuesday by a Denmark-based computer security firm. The vulnerabilities discovered by Secunia arent based on errors in the code of IE, according to Jerry Brady, chief services officer at VeriSigns Managed Security Services (formerly Guardent). Instead, he said, theyre caused by weaknesses in the design of IE and of Web browsers in general. "You have to wonder if it ever makes sense in any case to accept code from a server and run it without authentication," Brady said in an interview with eWEEK.com. "Web browsers have lots of things in their functionality now that are well beyond what their original purpose was. Its hard to imagine a Web browser ever being very secure." Microsoft has announced patches to two new critical vulnerabilities in Windows. Click here for more. In a security advisory posted to its Web site Tuesday morning, Secunia revealed new potential security flaws in IEs Active scripting functionality. The holes could allow a malicious Web site to circumvent the browsers security settings and execute script in the browser that could download and execute malicious software. Secunia advised users that the only current solutions to these potential threats are to "disable Active scripting" or "use another product"—a browser other than IE. The first of the four discovered holes allows a remote Web site to "spoof" a function within a script with a function of the same name from a malicious Web site. This would allow the code to circumvent the security restrictions normally placed on cross-site scripts by IEs security settings. Another vulnerability tricks users into using "drag and drop" functions of the browser without their knowledge to add malicious script to browser resources such as the "Favorites" menu. As a result, the scripts can run under local security settings. This means, according to Secunias report, that these scripts can execute local programs on the computer from IE by way of the "shell:" URI (Uniform Resource Identifier)—which usually can only be done by Web pages on the browsing PC itself or on "trusted" Web servers. This same vulnerability could be exploited in a slightly different way with Mozilla, but the flaw in Mozilla under Windows has since been patched. Security Center Editor Larry Seltzer questions whether it was a bug in Mozilla or a bug in Windows. Click here to read more. To take advantage of the vulnerability, an attacker would have to lure a computer user to visit a malicious or hijacked Web page. Script on the Web page would then activate "drag and drop" features of the browser to move malicious code to the browser itself, which would then execute and in turn download software to a victims computer. "The download can be used to run code remotely or insert a back door that can be used for a long time," VeriSigns Brady said. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Secunia also reported that it is possible for a script in a malicious Web site to load script code into the "Channel" links in IEs Favorites menu. And another vulnerability allows scripts to change the appearance and content of Windows "pop-up" message boxes—which could be used to fool browser users into opening files or executing actions that could harm their computer. The increasing number of vulnerabilities in general-purpose Web browsers may spur a trend toward simpler, trusted browsers, Brady said. "Some financial companies only allow certain browser types with a given set of security features to access their applications now," he said. "I think well see a trend toward browsers where the design objective was security and simplicity, not eye candy." Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: