Browsers beware: new holes in IE and Flash
John McCormick
Published: 27 Aug 2002 12:24 BST
Threat levels
SSL - critical The SSL problem is a lethal vulnerability that essentially means any SSL transaction ever made through IE 5 or later may have been compromised.
Flash Buffer Overflow - serious The Flash overflow vulnerability (MPSB02-09) is especially dangerous because it is not browser- or operating system-dependent and therefore affects any user whether they are using Internet Explorer, Netscape Navigator, Windows, Linux, or Unix. Also, firewalls are normally configured to allow Web browser use, including the ability to pass Flash files, so there is no protection provided by following good security practices. In fact, this attack doesn't even require the use of a browser, just an application that will play an SWF file, which can include instant messaging and e-mail.
Flash URL Modification (XML) - serious The other new Flash vulnerability (MPSB02-10) exists in the XML implementation in Flash Player and can trick a browser to disclose files on the local hard drive.
Mitigating factors
Microsoft indicates that it would be difficult to exploit the SSL vulnerability, but others in the security community are vigorously disputing this claim and point out that many readily available hacker tools could be used to manipulate browsers so they would expose data through this flaw.
Macromedia doesn't list mitigating factors for any of its vulnerabilities.
Fix
To fix the SSL problem, do not use IE for SSL transactions until it's secured with a patch. Microsoft hasn't indicated that the company feels this is a serious flaw, and there has been no report that they are working on a patch.
Flash Macromedia urges users to download and install the latest version of the Flash Player (currently version 6.0.40.0) to block the serious malformed header attack vulnerability (MPSB-02-09).
The XML vulnerability (MPSB-02-10) is also fixed in the newest versions of Flash Player, as is the persistent connection problem.
This can get a bit confusing, so the best policy is simply to download the latest version of Flash Player rather than looking for a specific version as mentioned in different vulnerability listings.
Final word
What's the absolute worst thing you can think of that you could discover about Internet Explorer? Would a vulnerability that would let sites easily hijack credit card information be pretty high on the list? How about if Microsoft knew about the vulnerability for five years or more and did nothing?
The biggest stumbling block to getting people to make purchases on the Internet has always been a fear that thieves could get hold of their credit card information (even though the risk exists when presenting a credit card in a shop or restaurant, or giving the credit card information over the phone to a mail order company).
We have all come to rely on SSL technology and to trust that the little padlock symbol on our browser was assurance that our information was protected. Indeed, most reported credit card data disclosures have come from people hacking servers, not hijacking information en route. But it turns out that this may be due more to luck than to good security.
Microsoft is making little of the SSL vulnerability, saying that a hacker would have to go to the extraordinary effort of creating a Web page and then redirecting surfers to the site. This ignores the fact that such a ploy is easy to do and, in fact, happens all the time. The fact that Microsoft apparently knew about the ability to hijack SSL data for five years and did nothing about it is unacceptable.
As for the Flash problems, the information that Flash 6 keeps links active after leaving a site certainly clears up some problems I have been experiencing with bandwidth hogging. Sometimes, I see a lot of continued data traffic even when all the browser windows I have open are static. Apparently, I've been seeing Flash traffic from sites I've left that have remained active in the background. For a corporate network, this could add up to a lot of unneeded bandwidth utilization.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
82 out of 150 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
