Browsers beware: new holes in IE and Flash
John McCormick
Published: 27 Aug 2002 12:24 BST
Web browsing just got a lot more dangerous with the discovery of several new software flaws.
Internet Explorer, which accounts for greater than 80 percent of all Web browsers, has been found to have a problem in the way that it verifies URLs after initially receiving a valid digital certificate. This can allow any site with such a certificate to hijack information intended for any other secure site.
And Macromedia Flash has two new vulnerabilities, the worst of which can allow attackers to run arbitrary code on computers with the Flash player installed. Macromedia says that includes virtually every computer with a browser.
SSL threat
It has been discovered that once a certificate is passed by IE, a second certificate will be accepted that allows someone to hijack the ongoing transaction as long as the second certificate is also valid. But -- and here's the important part -- the second certificate doesn't have to be related in any way to the first one. It merely has to be valid in its own right. So anyone with a valid digital certificate could hijack a commerce session from other sites and steal confidential data.
Thus, it now appears that no SSL transaction using IE can be treated as secure. The problem is found in several browsers but not, apparently, in Netscape Navigator, although this isn't entirely clear yet.
Media reports have suggested that Mozilla 0.9.4 is not vulnerable, with some commentators suggesting this is because it has so many other bugs, but Konqueror 3.0 (the KDE 3.0.2 desktop environment on SuSE 8.0) is seriously vulnerable to this flaw.
Some recently disclosed vulnerabilities in OpenSSL are also detailed in the CERT Advisory CA-2002-23, but none of them is as dangerous as this flaw in IE. The OpenSSL flaws involve only a denial of service event, which is worrying, but obviously a lesser concern than compromising secure data.
Flash problems
My June 10, 2002, column covered a number of Flash vulnerabilities, but they're unrelated to the new problems that have been discovered.
The first new vulnerability could allow an attacker to run arbitrary code on your computer. This attack is based on a malformed SWF (Flash movie) header vulnerability designated as MPSB02-09 by Macromedia.
The second problem, discovered by eEye Digital Security and designated MPSB02-10, can be used to modify a URL and hence read, modify, or delete local files. The same vulnerability existed in both Internet Explorer and Netscape Navigator, but they were patched in the early spring. Internet Explorer for the Macintosh still has this vulnerability.
Yet another Flash problem was first made public in April but only appeared on the CERT vulnerability listing in August. This fault is not a security threat as such, but it does consume bandwidth and slow operations. In addition, a specific attack isn't required; this DoS event is a normal process for Flash 6. It seems that when a Flash animation fires up as you visit a site, it continues even after you leave the site. In fact, data may continue to be transferred until you close the browser. This is fixed in Flash Player versions newer than 6.0.25.0.
Applicability
The SSL flaw apparently involves all versions of Internet Explorer going back at least five years, including IE 5, IE 5.5, and, in some circumstances IE 6, along with some other programs that are still being evaluated.
Flash Player versions prior to 6.0.40.0 have a buffer overflow vulnerability (MPSB02-09) due to the way they treat malformed headers. This can enable a malicious attacker to run arbitrary code on a system. The vulnerability relates only to Flash files that contain some custom coding. Macromedia reports that its development software will not produce files with this exploit.
The company also says that the Flash Player versions affected by MPSB02-10 include all versions earlier than version 6.0.47.0, which fixes the problem.
Previous
Did you find this article useful?
82 out of 150 people found this useful
- Share this article:
