The dangers of scripting flaws in IE
John McCormick
Published: 15 Dec 2003 18:00 GMT
Researcher Liu Die Yu has discovered multiple new and critical vulnerabilities in recent versions of Microsoft Internet Explorer. Microsoft has not yet released patches for these vulnerabilities, which mostly involve the way scripting is handled, but exploits are currently available on the Internet for hackers to use.
A number of other security issues also demand the attention of administrators, and as usual, you can read about those at the end of this article.
Details
A report by Secunia details the IE threats as follows: "A redirection feature using the 'mhtml:' URI handler can be exploited to bypass a security check in Internet Explorer, which normally blocks Web pages in the 'Internet' zone from parsing local files."
Another threat is a cross-site scripting vulnerability. This can allow an attacker to run script code in the security zone if a Web page contains a subframe.
Another vulnerability can allow the attacker to hijack mouse clicks on a Web site and permit the attacker to hide the malicious activity from the user.
The original bulletins have been included in a list of 35 IE vulnerabilities at Safecenter.net, apparently maintained by Liu Die Yu.
Applicability
The exact scope of this threat hasn't been completely clear at first, but the vulnerabilities definitely affect the latest versions of Internet Explorer, including IE 6. It probably also affects IE 5.01 and 5.5.
Risk level - High
The combination of vulnerabilities probably should be rated "critical", but because it's also fairly easy to mitigate the threat, I've rated it "high".
Secunia rates these vulnerabilities "extremely critical". Perhaps they gave the threats a higher rating because the discoverer has also published exploits.
Previous
Did you find this article useful?
100 out of 222 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
