Advertisement
Promo

Security management Toolkit in association with http://ad.doubleclick.net/clk;214682528;14505427;f?http://uk.blackberry.com/ataglance/security/

The dangers of scripting flaws in IE

John McCormick

Published: 15 Dec 2003 18:00 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Researcher Liu Die Yu has discovered multiple new and critical vulnerabilities in recent versions of Microsoft Internet Explorer. Microsoft has not yet released patches for these vulnerabilities, which mostly involve the way scripting is handled, but exploits are currently available on the Internet for hackers to use.

A number of other security issues also demand the attention of administrators, and as usual, you can read about those at the end of this article.

Details
A report by Secunia details the IE threats as follows: "A redirection feature using the 'mhtml:' URI handler can be exploited to bypass a security check in Internet Explorer, which normally blocks Web pages in the 'Internet' zone from parsing local files."

Another threat is a cross-site scripting vulnerability. This can allow an attacker to run script code in the security zone if a Web page contains a subframe.

Another vulnerability can allow the attacker to hijack mouse clicks on a Web site and permit the attacker to hide the malicious activity from the user.

The original bulletins have been included in a list of 35 IE vulnerabilities at Safecenter.net, apparently maintained by Liu Die Yu.

Applicability
The exact scope of this threat hasn't been completely clear at first, but the vulnerabilities definitely affect the latest versions of Internet Explorer, including IE 6. It probably also affects IE 5.01 and 5.5.

Risk level - High
The combination of vulnerabilities probably should be rated "critical", but because it's also fairly easy to mitigate the threat, I've rated it "high".

Secunia rates these vulnerabilities "extremely critical". Perhaps they gave the threats a higher rating because the discoverer has also published exploits.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
100 out of 224 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:




Video icon

Video

Sentry Posts Blog

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment

South Korea plans to fingerprint visit...

The South Korean authorities could fingerprint and photograph foreign visitors from 2012, the Korea Times reported on Tuesday. Barring diplomats and government operatives, all visitors... More

Post a comment

Featured Talkback

In association with Network Liberation Movement
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters