Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IE May Share Shell Hole Found in Mozilla



 By: Sean Gallagher
2004-07-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Security firm Secunia reports four new "extremely critical" vulnerabilities in Internet Explorer that have some security experts asking whether any commercial browser can ever be secure.

On the same day that Microsoft released seven new security bulletins for the Windows operating system, four new "extremely critical" vulnerabilities in the Internet Explorer Web browser were announced Tuesday by a Denmark-based computer security firm.

The vulnerabilities discovered by Secunia arent based on errors in the code of IE, according to Jerry Brady, chief services officer at VeriSigns Managed Security Services (formerly Guardent). Instead, he said, theyre caused by weaknesses in the design of IE and of Web browsers in general.

"You have to wonder if it ever makes sense in any case to accept code from a server and run it without authentication," Brady said in an interview with eWEEK.com. "Web browsers have lots of things in their functionality now that are well beyond what their original purpose was. Its hard to imagine a Web browser ever being very secure."

Microsoft has announced patches to two new critical vulnerabilities in Windows. Click here for more.

Resource Library:
In a security advisory posted to its Web site Tuesday morning, Secunia revealed new potential security flaws in IEs Active scripting functionality. The holes could allow a malicious Web site to circumvent the browsers security settings and execute script in the browser that could download and execute malicious software.

Secunia advised users that the only current solutions to these potential threats are to "disable Active scripting" or "use another product"—a browser other than IE.

The first of the four discovered holes allows a remote Web site to "spoof" a function within a script with a function of the same name from a malicious Web site. This would allow the code to circumvent the security restrictions normally placed on cross-site scripts by IEs security settings.

Another vulnerability tricks users into using "drag and drop" functions of the browser without their knowledge to add malicious script to browser resources such as the "Favorites" menu. As a result, the scripts can run under local security settings.

This means, according to Secunias report, that these scripts can execute local programs on the computer from IE by way of the "shell:" URI (Uniform Resource Identifier)—which usually can only be done by Web pages on the browsing PC itself or on "trusted" Web servers. This same vulnerability could be exploited in a slightly different way with Mozilla, but the flaw in Mozilla under Windows has since been patched.

Security Center Editor Larry Seltzer questions whether it was a bug in Mozilla or a bug in Windows. Click here to read more.

To take advantage of the vulnerability, an attacker would have to lure a computer user to visit a malicious or hijacked Web page. Script on the Web page would then activate "drag and drop" features of the browser to move malicious code to the browser itself, which would then execute and in turn download software to a victims computer. "The download can be used to run code remotely or insert a back door that can be used for a long time," VeriSigns Brady said.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Secunia also reported that it is possible for a script in a malicious Web site to load script code into the "Channel" links in IEs Favorites menu. And another vulnerability allows scripts to change the appearance and content of Windows "pop-up" message boxes—which could be used to fool browser users into opening files or executing actions that could harm their computer.

The increasing number of vulnerabilities in general-purpose Web browsers may spur a trend toward simpler, trusted browsers, Brady said. "Some financial companies only allow certain browser types with a given set of security features to access their applications now," he said. "I think well see a trend toward browsers where the design objective was security and simplicity, not eye candy."

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  



  Reader Comments: IE May Share Shell Hole Found in Mozilla
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Sean Gallagher
 


x}ks㶲*Q3Co{)ٖ:-K3ΤJKĘ"yH'{rkĹ;ؖnt7F;vv IM˙sל۔\sPç v$vv]2i* d&@ jہ)}mk4 uBZ;[;#|6S%߽w *s=NNKԚLæzg&$l dkbp,FcwO5d{9B ~5[6m(GJr ZB'?*B4 \2HTߦuB)~{Te䆡;g? CxKt/"(?c&cZ?9;x'fwgB(ƻFՉziZgdd vu=yͨKQf3r=BM*-M DƞHC d#̒JKN`:rm3G^C]õ]Z.R͌eCwt=POMҷB($g >v?&?Q Ig%KaV#vRxA'ס" Gm_k|tfs's~3 CoZeNDj%o~cnK(p}=\'BL}:n/EӝÌfؖqSth(́V* (ZPʍxxg9{ؖ3bTzEÝ1)UUq޿^HQPwÑ;7@VV0ݣ^w2 Owu@ΰ{A~$Fj}&UJDZ-fi& 0h!5ttrAX{x\獒A7ny%(7Jh%٥~`Y̞ofVҘ gUU,X~2t.˫nCënl,OaV4*2V]鮘ȏAժ{qܻ9|u ݹOlDM Wh6w0Nկz 6O{:$54Y01\ \^4$eLCxY$Y.r:8?# | ,-˝)Tt< ,_0f k$LJFo$3NE ;- uPo4C+D_x0Nukn6 G@kiFkPYTak6R\ 9jb)6B̄H )'7R?oz@U@ZZ~nV$9USEI7#DL vxr!DKI 88g^R]E1\aU<<uwެ-Ujմީ/~iYwΤui>^uIwNЁ)WIC EhYf7-vIqM}sQU ,PߢW, FKP̶#ؠe)u~ΆmNQ'}59'4}t>'჎$>h&ƋCriZnL-rӇtwA+wOݺzL^TŞ+LКkFm &>ql8d$n)s>sLn-0(5I#=ˋ0P6 = 2/?>aCxwݐH~OBt"AђF )4 g CX"K"'A77;.V+\y"*M':܉;T+/2ڹLX)gQY,p[/)͙J2d0U Q򍜘=b`&Qea*0pRx5Vn,`oʁ5ut@ބxl,aCtH{8la [NHu0iH\U`9ޟF~Lh?wܰH}K=:<f335{80q}`] k{2oiB7g ƩeLI|B3} H8M;luV<ۢf|a* ,qrׁfX8ȣ=p TfҬt|9厬m[4@~T&](\uΩIJ&k*HY3j-yrDr V֌Or1r@uOSjS͸VTV3Q2-C+NEۋ)i 3X-8G/4- {'ٲJb-Yֽ Uv/KƠR?ouJiO,odm_EڠueLGeK-# IHf(XK+ezlx8$&le6LE? 7=}0\Re_` }dҶMj٫ X37ld tAqFAݔ`AELl5T թz@4}&I;{\OǮ!C}zN¢ -{h'^+0ZN + RIS_,d;W.P9ufjYE` dEN]tCx!+pDZ\P]\C#+Z&`ѺITNȑ1[DG`; nuESUG݀ލnF+ F vgS(0f{L PwA-~¿rZkBZ'@ upϭù(D Qpᘙ@FSS؇dm/RkK*~iϻM^,ߜmhD1(dyDF4D/qbk Nu|8ZJ5qvsTy9kY%f+eEyZiztylƵIT{E3p{ݹY$'8 MGFi$]k|[P vfȵ~ w3m94c~(GcjZ% XBObK>aL:KlCs0X3f~:ktx{z&wufǿX uLB-oc dc0=̞̝A mۨ L Ua bȈCzfH~zF9pTjgHUWt<,#Li7IղAk JZ8~G;a>&rn&kSHG ɲ\' ׫UVj8H3Ay vBs=A<CMM8q{^ar0uq8(-E<9_K84J xϰL'JUVqm?3 cS7wv_ 5@ E D@D;n?% ?S-l8-F:w~ݕDw;]w}@:iw>&=~f?Н :w>aa= A`W/;^j\#-0MC~ǝ_IWR&Fø@o9)P K E1>bt߫]=-co/݋a=; Fk"^9 s}{!d};]x{ёҽN zs5ADH}䄬W!y:FS̠o2XGX=ֈdȰ Z(Xƥwûܹ Ӝ4"z?N3bn qZ1w}uYLPH:>Xa@HR ~tqy .g@d@Anp+z!NU HE*e4ДKe=:)K<;ڜ) 5Eſ}YVSX x4~WK0fAba+F+=ǭHlI NAn|>p_<Ĩ9n1pAZd}\^eԉ9%2 \(?m[ħ{, /䎱G=:dSNM(iQ-uyjtJ9S"\ a?6H P,OҼe=lI1 iK"ih$bbVȆRoپ؜6<5ަmƙLƗHΖˬe̗4.נݣY4V#"|-&X!*VZZFZv*'?vqbwy`(>9-b{~Tm4j۾+ttO$Z؍ڑq eީӊN|mu+ɅNo-!WC1kyT̵j dŽ%Ɣ{`sBk|9GQ r0xf&4NlEwy'(" xYESrm]O}4]vY͠y{`o&|)s'A֚uhaJofm5Şa4 ݣovV:}i?vݷ;޽s¾"CWq k:i)`* 94DhH^ݍ X"2NIJa'>8zdM#}9JfyӼ4hɘAxl7B_7nC]pb]sT xB`o~ˤaW*]c{*{w}wﰧ]VZtC.qFVd/)&%ΒE LM OKt1ڬ/ۥ{HkYXdbSOٞo 1O O=qԱىCX ?*4lo`zS`{ƅ=RH3x < v<.߮ݘ8)<A~F<vL4)[+xΛf}ia3⫆†?u õY`Vaj8-7$\}1 ߈;6bE QM!XQ|=L8s{C8jRSWW&6o)?.w?.FӞ܊MQ@,2.mE.zQv%Fs7YS+x˗t4q2L~x+jF)Y9l%V)&L1+dXZ%t| Y,hK.ИseRno8ԧшtf9[N"C@:c_Ljer]_UMi1G>q}rcf$&iUGnkW^˄2k] VNx78xt91͏'6aS:S"n^:TQLajq cHϟH]?uDpvG05E Cb:Z-kQw`'`qǠ ~u ;\W& <:uZn I,'Cq$_e0X+ZEcjcD٫ho7) MKǓ|lu l5eBޑO;i.Of1-9A85ymYbD"dFF%أwrZLcsĆ`IŠa7UҩJw]RSZX𴝩G+v!oWH]JCymbSXP>oIZIr&͟%gҚ4iT5ME}VR9]igWˤWǹlwk<6wr!DK(0+.z$TXL00iDkJ`*I;|Is6TkH=+eMʺmX*J#6ꄵKX$nDLt-WE"=DsCܐ/b2i߷;$.RAE1WUiǡQik1lo8keT_4Y^[DvJX &YC:b -EV5#'k,`bü "<.YF.GA7-+G8ojk__bw"tI]Ϧm~/x-6^D8$J5:E;ZV}k;c6, qq22r:=*q^T5%Օ(V?~Hsw˶Ҫ*UWʯF F2Tkï턊y߾oQaqC~XO0%Bx}usc7ŵi͵>(Gt:uBkgq_f^yC۝ZV[L ݩܱ9Rş ovz)ʧL˞끆S.zzM\"ūxLh<%oA͹r_|k ?]"3`n7* =-찆߼3!۩͵,fER o ZߤW-I[ O *`εm{;hOҗf>#b1DKb@/j2֐]B=Lp,VL7i+ɽ4n[*-g ][G?|ƞRo|֊OZړYΞCmKxXfTn#n$pK4&Ku^8GO/ :â= LamDߣ݅-Y?`#P'}dɷ{1VwcZ`2UȏS QķDd¤ZYt'O|D2y(Bx8n g{{[֤$]I"Yv;"(7uמSN|lڏ/wjj}ۏo3ʑ? TŢW\z#5|5XL:{O2C[ĆWWc#kx|_^Dy7>i.#؝Oe9L XUĠAɌB<~wĸW\xmwI0XWkf+ ,Erb֪Y"'"KIE/]Q|~4. dR /)_V6LPr!Fm.MEfIȢDWE\1]&ՔZr~^ :XuV%d˘x<VH=Қ0&^OE*ނ0H>PS1TS UH+4h 9D@qͧ5Oj6j=!Ƀ`5bÃZOk]P;Xifۼyj+n-{sxb(ͪNTBpd*{ 1InHuu-MEIL:C@`m4,\ 6BπTa>A4`]*sjZ%<0h3{T¿Tj~Ew(/9 ίĕպԴzYܧF(+B!}vn&ɕN^sk§݁|ӂ"Z{4ֱ:r敊V.ի;oߓz#TXCк2fQ&txZڊRB{od`cse|tP[ozp׳&aIK+ CKŸJao4bz^+jB6"|3Y,l6w:D]%AJ%՜tg@EP]/0Əļ\\snod0a,,9+cYZ`3+nsl+ZKɶ8+YlwAQgg)q8 @ɩ莅_c@$}/Hk4W"Y`6و۳jM\\pEu =0]W1Ք7ZvN[E 5kL(:_okɀ XPp}MI٫T~Nᇇd>MYx\Jӑu /`|$z̥7f{@Tq 81q,-D|E|z['AU}>l1=hb#HB0\'u3C{F.:`й꣇U #yޝ ^b߳.n4{>z(4<QwjL!'vq]Q sR" 1u1 U?#7,>1>B$!iƮW}0Iݽa?ÈGs{QZ"`Z1ш@Q>ɹgMN:pxXҚ0!RAA26mDRRictkXaٌ=/؋`dK{S{%H"V|8snj}J" rܗzJ,W@T:t]\VP*@H>Q|??­!Rfjs# x_&:13  :la`t.tgAؼO^Fxj&hf,EףΛ]-GAG͚G71`p ?v-f!usx\fH֎I$Ѕ:x,@#!9ωg1ka]M-#Y?AaP8Z  +z+uT'I]WP)9CȮ KTU:|.Oa@eyݬf/oU\iJdR. ?h$@쌆=xɾx t0 c3brLufxڗgIUCGWAwA;gk<m[4z?V9>]~>^t.fbv4m+LJry:2 'Sr3\h^EqɃwe;8^;;8{Rf}Y QJ/Ni01c>>Z>ZAw/N|veI#:jS#%j:&,8i67a\nq4ħYh@zB+2[EYNPsNPkN_/?js{P)GN/?wrʏh} $>r#\_~-N˻DžV8g9nNZ?s?Cg,9ғ3>y<><@99y^ ?唟BiN?9P~S{3 ?9sw3~=/=?/9q _s?}?(e}G௏9 ?~rCk(+kh:kKu3Ay;Gڗpzz;29)Z9R{WK質9+V/_̡sTh3*Я#Udnldڽ<R+ ]q%>3-{ᘴ[˺rPKȣ_xi +{IaOW4:<)X9vFnmldQǒGЬg]#=D)se.o opfǙ@ @9z\pm`J_|W-ahOW=M5x.nm;yx#ֽ2"Z;Yo%P/Y#IsDgev0ACѺ`*+6:7q3[ Èàs H?19?#|@/kOgM>w>^uoҹh /:35K쓭߇M}f`ͼTV)pF;F^a%1zIxOa4EL=#9}54]MWnރ97w&ߡn &)xT-kZYoZԪw俓+v{DDoM&Q5YUdN.jUQ)&K<# .=M^et fMȡ!pAfJC#Dk(x>Xxqc6Ew_,mBfh0l|y Nd@?o9Xj,.#v2'Q+<ĝC+4X pou1R  {{[2gډe:`̔I8#ݞ$W!-7cUrߢQ'C<:,ed` tOЫÝ^:&23Mť{6oo\| "e*sňB` j?5n%c$Q.S ɍErby060wH> PZcV}U#"0 ۏVӄ.a삆ws$0y.6^Ťe @ a -HZ}vҘ|&1|98𰙄i׌oڣLijG[wzhLS,i_cErh9GUZCQ8ۈqdA(e6Lm (~%6,wdsS@yȅ=y GD? T| 5\6LDRw }B0yNmv8@9DEPމ!/[v2gR*4%NSЊxS*xEy?6 Mخ;Oq^Gd9b7 o9cHPWWݜ햏 OXo| 8jO.d6CF|gK 9D/7ag} r@bbܢO_\nP\jӟf͙L.BTvbbq Y;gf;q * 8&U]66sP/uKW}Q'na|d[t%K^FzH‡%!Ҷ\)Vcʥ.Sܟ?Baҟ_7!2,{ QFbvMshՆG0ޏq7PR|@xS a JʶE=b농 Ѩip[TVDnS^moymOEmE>m+Ѝ5O!igNbkcb@xV=d_qxFN|L/X:dg)C2^#s!? LnH2m^^kti( aavX":xqeQ T,7:KcA <] y>$oꎾV;~v?;HwD a ѸT\Ɠ_wN+zg,ٺqKG?}86=EKB]w T>V}|ܽuM+_1dF[Wy &F{˳̦UZ*$