Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Researchers Reveal Security Holes in Internet Explorer



 By: Brian Prince
2008-06-26
Article Rating:starstarstarstarstar / 13


There are 2 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Two security issues, one in Internet Explorer 7 and the other in Internet Explorer 6, could leave users open to attack.

It's been a busy day for Internet Explorer security, with researchers warning users of separate vulnerabilities that could leave them open to attack.

According to an advisory from Danish security firm Secunia, there is a flaw in IE 7 that can be exploited by attackers to conduct spoofing attacks. The problem lies in a security hole that makes it possible for a Web site to modify the location of another frame in another window by setting the location to an object instead of a string, the advisory states. 

"This can be be exploited to load malicious content into a frame of a trusted Web site," according to Secunia, which rated the flaw "moderately critical."

Resource Library:

A second issue affecting IE 6 was uncovered by the Ph4nt0m Security Team, and can be exploited for cross-domain scripting attacks. The group posted proof of concept details of the attack in a Chinese security E-Zine, according to a blog posting today by Yichong Lin, a researcher with McAfees Avert Labs. 

The issue is caused by an input validation error when IE 6 handles the "location" or "location.href" property of a window object. The vulnerability could allow an unauthenticated attacker to remotely execute code in the context of another domain.

So far, the vulnerability is confirmed in IE 6 on Windows XP SP2. Version 7 does not appear to be affected.

The issue is very similar to the 'Ghost Page' issue in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008, wrote Lin. Weve notified Microsoft about this information. Until a patch is available, we advise IE6 users to disable scripting in the browser or upgrade to IE7 to avoid potential exploitation due to the public disclosure of this vulnerability.

UPDATE: A Microsoft spokesman reported Thursday that the company is investigating both issues  and is unaware of any attempts to exploit them.





  Reader Comments: Researchers Reveal Security Holes in Internet Explorer
>>> Post your comment now!
perfect programs
I think what we're experiencing here is an overall environment where any given program may be safe at the time of release--but that same statement...
Posted At: 06-30-08
By: oregonnerd
A user comment on this article
It seems to me that the programmers are in so much of a hurry to get some new program on line that they are not taking time to explore the potential...
Posted At: 06-30-08
By: Lloyd Hedden
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


xr80VӮcV%UȖ\֔my,UyF((ئHIyωo&nZhKu%LܐH$~ 'I"gnZ΄ܦdwÀ>]K$B}wNUQV #7((bP<HwO7n[Q0R?`᳙*,Q  tjGt0]2d6;k6!o4vekOh cߨ_X&``1\t|TA!j :iݒ |i @I>b(h] ]( Ѽ{eMQR`N Cw&tb9 Q6RV2/Fӽ<t[h #k|E=x:Q/M+lဌl׸ڮUX'[vRQ(0B.Ąu#wJ;qy'M8NfQ%p'F:rm3Ck>LNZ]@Z3ˆ辥{$)5= \o4"1lp2E9$7 \h?yiVN8CYnհ}= :ҍ}4 .j.9bM ͻS P2zhN4,2QȲnMwͰ-P6CMTjR?tދWwcwm9{ U wht??S)y{zY !lݹ܎ඒk%m{|NsvN5yvty/ȯ0wND_jQEVKY/LZH<&n#ydZj/4E;J KHS = (1N,#u;Glj\ :WW~ :ǧGW wb٘XC ji@U$\]HAբ}|qݽhwEڝNI; i f׵V~'^=:$lrK,.iTW%vxC!u{L ,_e=h!_w nr@ i/]"{,Y`M`ImdƱ(|ǺrN9AcE>oU:_T7ohH2 f4 mp  a6FALu\ Q#|`Mil&XJp?є6`i˫1TE0mESq:]Q4y3Dɭ g/3/r.i"}h8yWTws izT29;>D]-7kDm,-ɺs5-wj;]g<:mҿ]{>t@*ktI=XC#ʠ:ڴ;\VS4!&- 'pbdx: }# 0f4mLH"AЂMtT8n]`2Z9ܹ ([ hk= `Dy+wMGHb1(=զA{Tg,zC {k6G~[>l0szQN\Q@m2)%%E24.'H(AH 9[h ]99z|?#!bRN[ T6ݞH:s'PT+esMX)gQY,p[/)Pf%5{~6 cbB|#'&Xr`Y \d+|i)lb V-iiĨP^Cs2=WVkEU} H&|T<P9}:79(gpHl`_qϟ  sWyGYa0Oy:kR^K?aYjx]1*(S,i0ȡ;Su`ћzř1FtEkJoοCu :pɥK-ޫp)#Z$ c`ײ. _kOhR9A} l#d;X~\W4Uud¹`Qеa#ECwV8% P"7h{eejڳt_KdwT |qCZhCM$`@" jEv~ia~~Kˣ G{icf MafFž nJm^RK{m7xE0s-"fdaDF4DwbC-ͬR<ܷVuPB&75ϣJA! p]'oJP?(nsU-yFo =Jȵ }}9~ܔyeb@mjgE@?}誦URC}2YhSYpg#ؚIκVuLY:ktݿy jm==#ݸ{r_"wsԷйdNkl C?9dN@u3 U s4NP&5߹r4h}m>9Lci4DZ6qiv?)1'y] jQ ˏ}b*kZQR^? +8rk,: Jq~Z τkx|A 6 2j=kR/Jܦ厈@vG^Iў Bb2Q{L{]M;k]A Tcn?eFqjMluP U)7O]%T/IjYx>80xnDG}x$pM\&HW6YdEh0\^ < =蕣`;p[WKǽ?wHκ)ޠw)z2W#&:~8`O*aӺ?>m6<̰6MGkd҃aH`y,v T/Us:TzF_j,49ψAT p0ZS!Ί0 V`!PH:X!aPHT dDۿBlb%hղoeW!؉|@s`*c=S!L QʕrZTiTu&̱0ktH]<;;WQ杊 H-Э>y{ho&|)s'I֚u ha`Jofm6Şa6 ݣovV:}_OJow{ѧ}E4 t3V* 94DH!H^ݍ X"2gNIJa'>}8zd2 ,fsx3D?.yiҒ91>onP;-4z4ݷP%(bAcqU~(TR-.aO"J骇v9c]MU,^RRMJ>]%k" h6vo"Ba"fsME[oZQ-&WLΨnb4;L$#v﻾ 0B޳] &5`OZ3[|A`N|xJbߺ<꩚ZMO>tCSa"1lRkg_ߚ8JU+Gv_~VJ!9D'ǜ!̆e oNZ UbG SR#m:nU" ;ymwQS0%&nZ wT,LaMQD]N|2,^P kY$gLVBaE:hQm#'1[Qzjȃ򬌚A9r ׄH1JZ9V8NymY첎C?jގ#mFh'5XR1f}t¯R6dO+O\л$P)t+ M<)`Iwg$}!Q"=ΰӟ㠹+7 ;mATURoGrhM{qZKYr  O$:.9ıKݎTۯJ ,0H| 4u;"L=;B؞\5eSr-8y"4σPb"5rKQuTMP/B,q>o []'HMɪRˮ+Z&ؕϔH \iRy@ISbDijI; ,6GB /֭(("KoK^l5h̛Q'ʦtR{y:t/tgɚH- qKTP7y4rI!7D8"oN6xL#qխh.)yRv\k\D2/.^JY)M+:Gc8Il}/bNa1䎥g,<ucܨMխ| Q6eJF(t>3`٦j_Y0c6yQ5_܆ +"2M=yyg!2v<ܑ==NB`A.Pŋ)XO ax)[%UY#ɍjQEњAźo8o8;y3Jz ɚT`15ӓ8[rӦgQ'@WbuQ)Xq3K)蔺3woYDt4a l(2$]INaҕuoR^KvIv k#9<w"Z&: $Gh^2m4 i*~sЮl>mvg`}o- CKT˷C8H"eH~AQy8Z0D_=!>q߸TVU/?EZ=Ǵ9-]R׳)b5ڷ-bnw+L$!O.0Hit{\H[\n]a^b 'bX' 4q"!o 6{t)=ۼRrOjr,Gۺ C؆_#KԬE5:&[UJE:`W4F+⌱faeO%sߘ%I5P"IK)zv פ{ t: k[2(P*>kA~i//m~9#0&V-I N *`aꨅd=I_Ϛ ,q()Zbp6]?r Ecb>kܩlc"8 ›<;X1&Crp"3vcO{ eoTZWIY1+so| ЌBMwĭؒA:A\~TPAfXt~DY1K#Mѭ*b m0B~ LuM|y#oͩ?.&Su,,1T%ߛB~f뇺ݬ} J8+O|odQ?(p 8oj[I'Hr!D<[2wDQޯ*F]{N9- V /~LX(R^q}od᫩EP:8!A%9tѰp L68~܉A">)fF<&Lgj=!vc`)}+n-{sxb(fUj*qna8uf;=Ԙh 7pxSc]yqR!ZGI/LٸjX{>ITap}jh ܻTԴH fzVCTj~Ew(/9 ίĕպԴzYܧF(+*:g7aTH\i [XSP}"Ql;Rʥz53۸izaOӭFELX|9(ˇxxX R{N~Cy>|[2ONcˡWǪ%chٱ&~JWrӥp@JXC@W&Hm#nA'[,l6w)]l'&vUZ R j'ϳ W[ "yFskW'\\sjό\#aeIX+L66mEUk)7g%;څ]`aYL\#&K ::Iߣb7b~m>sYu?d#jϊ5 uUrEu3<0]LaרobF).o2N[#{1f4c=ԛPxcDU<11t#PγjNT]OpY|XC3 #L_~­R^+oS[ZSj!_E$_Ɠ,=M1KxE>o @4pMI٫T~jчLJ/tX0/b3-#>In12K= o~{@yq 81r,ގ-D|Etz['U}>l11Chb##VB0\'u=#Yg0\*KOQ^[2~`3] Y[hE``!'@vq]Q x,]Q. *`աu?䏃 tS)sSx- rH(G}8ѹxuW1"9'0ឩS1,'2-kDM(qi+8< ~3&'N;"&(6@א0H4alo0pF$%xL1f`ڲ a9=g1;my^\l/u #{K?-P֏X G3wاX,}IJH (U,x@"F29C(c~JDFx_fFé :la`t.t?ϼðq7]_G@fVIpRt=:rtԨ)ʞ*|{#@u 6 2S¤vt*\/?>').yDci 8^iN4_Z oX62 =6#`;7LкAB󴻾.4r_7^C9/4?sʿ@g,9C3?0<~ss?9y}}'E/>CS(?)#sa~/r".`.r#z _z92>.˜~r猿7ȡ_?}}ʡP99g|sw y@9{ _ wCi]'I9z[9|ֺą۩QNy<ʡJE5ৼrXB]Cy<*PC/nr V=ןbMexG,D<mcLkbžȁ>l̼5(s#h0 .Ǒrۿ剹?|k2yi8l? { opm`LYX-ah0.: 7W=M \ڎwڝGf{ueePsvdmoCdx^$ٝzÀ}G]xZLܸҫpoQ^" #"@ac,FF>^֪_p3lc};su:^>tCg>k'[*8y:RM ?|Y&ƀY8'(NBhع+jzG|t5pÅ͹qgush4HjYj ~ZV-#\!aڌp=b $&4vXW5r(2B4|OӴWY7tS+rc<{+4wpY-}?"z%~@N,1"e/cA6of!3^ ~*_v:i(G<)21 1@͝eN&u1*r>b%q<`hoX.>&]\ʠaCo^Ėٵv"n<2w)z6eP4ǭa&r2oˀn4@[4Dr(9Pų l1Aҙ |u/ \=w`p*cc>mTώ;[9 Wuu;_/T3l~_tgc͘&SO"=/x^;4m!F22X1>/亂mKz=c,g~Ҫ<@p79?`&<?ÄYRg%^#%&a"c'x I?X7` @=ɡ=W]rS$)<#!1苄I Mc  L:B2,%؉GGuhJ ]~iW,HF|m+^2PzSA۽$}מ X?(xma?>V@sn`bJ0ohq]}F53௚B㙸xz^Db, O*_H&muWsKlClnT8NcA>XE4!/[v2g S*4%SЌxs*xEy?ĵ3 MPt[:SAW Cr 3қ1\c *|?OGe Mwt4?@&s ܈}lI5#_?Fq: /A.sl2qV<3@WD0;"6Yc.#sEX,8/ kuf㿶;ƝOQh| W91-"ux -] E pymӕ/y9" #V|JRX}P?(:OOgsZ 4_Hʶ› *(}X^c 0,*0%8u vKѪ N7"!aNo0n%/$9&@ Rs=V*)vfe6r.*l XGڦZ-Qa[Anb=Oy꾉=e-{B70* <Ǹ9m@>{zw1Ǹ[0rczzwY= li12#, $$jVI;;Q0&iE-ȓl`Cv_)~ph[?҈YA wVǰ=BO7 PO80Ux|-h\l}[xtmx0#Ÿrz,ŀ~U´Bd+KWԵ1%X^5El߂*Ԉ|rR$0$a1+>c-hw͹!wS׆)0ѕD1F(g,1f wAx& =`#hxj"nh1 d'k%I Q >d31#7Dj0BrH d[H_مt&v3k)/YH~1  <99.@$NSP_X1]< :L+s+ Sq||9,]S,w1NZݳ/<|;Xit0y']f*FRqOR|~8(>3u㆗?~}hKQEy遢%!ڝ,!ջl݋xY`*XEClMc01B4[e6TRA$7}M1ec*d_)K]jq[OE(~ )#U:M\"Zi/!zRM%Y;~XX96v6̈́M.b&;f1Բɽ*