Think vulnerabilities only happen in IE? Think again
Published: 12 Apr 2005 13:35 BST
But don't think Mozilla's security woes means Microsoft's getting off easy this week. eEye Digital Security is reporting that its engineers have discovered a new vulnerability in Outlook and Internet Explorer. eEye has sent the information to Microsoft, and this security vendor doesn't provide any details about vulnerabilities until the vendor releases a patch.
So far, all we know from the disclosure is that the vulnerability entails a remote code execution threat to multiple versions of Internet Explorer. Our article on the topic offers a little more information, implying that would-be attackers could exploit the IE vulnerability by getting users to surf across a banner ad.
In addition, eEye published an earlier vulnerability that also affects IE as well as Outlook. The security vendor notified Microsoft of the vulnerability on March 16, but the software giant has not yet released a patch. Because eEye publishes no details about new threats that could help script kiddies, it's difficult to determine which of the two IE threats is generating online reports elsewhere.
Applicability
Most—and possibly all—Mozilla-family browsers are vulnerable to the Java-based information disclosure threat. Specifically, all Mozilla browsers from 0.x through 1.7.x are vulnerable, as well as all Firefox versions, including 1.0.2 (the most recent release). Netscape 6.x and 7.x are definitely vulnerable, but Secunia reports that other versions may also be susceptible.
While unspecified, multiple versions of IE on various platforms are vulnerable to one or both of the remote code execution threats discovered by eEye.
Risk level - Critical
All three of these threats range from serious to critical. At this time, vendors have yet to release any patches. However, I haven't seen any reports that attackers are attempting to actively exploit any of the three threats either.
Mitigating factors
Since all three threats appear to apply to default installations of the browsers, the only mitigating factor is that no one is exploiting the vulnerabilities yet. Thanks to the availability of more details about the Mozilla-family vulnerability, we know attackers can only exploit this threat if users browse to a malicious Web site. However, thanks to the publishing of proof-of-concept code for the Mozilla-family browsers, we can expect to see exploits soon.
Of course, while you can switch to Firefox to avoid the latest IE vulnerability, you'll then have to deal with the new Firefox vulnerability instead—and it appears to be nearly as dangerous.
Previous
Did you find this article useful?
137 out of 329 people found this useful
- Share this article:
Full Talkback thread
3 comments
