Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  
Home > News > 

Serious IE Hole Opens PCs Up to Attacks
By Matthew Broersma
November 4, 2004


US-CERT on Wednesday warned of a fresh hole in Internet Explorer that could allow attackers to take control of a PC via an HTML e-mail message or a malicious Web page. The flaw is all the more serious because exploit code has been published on public mailing lists, according to security researchers.

ADVERTISEMENT

The flaw, a heap buffer overflow, is in the way IE handles two attributes of the “frame” and “iframe” HTML elements. An exploit currently circulating uses overly long SRC and NAME attributes to cause IE to execute an attacker’s shell code, according to US-CERT.

PointerRead here why Peter Coffee says IE flaws should come as no surprise.

Users could be attacked via a malicious Web page viewed in an affected version of IE or possibly through an HTML e-mail viewed in an application such as Outlook, Outlook Express, AOL or Lotus Notes that relies on the WebBrowser ActiveX control, according to researchers.

The bug has been confirmed in IE 6.0 on Windows XP with SP1 and all patches installed, as well as the same browser on a fully patched Windows 2000, according to an advisory from security firm Secunia. Microsoft Corp. has not yet released a patch.

eWEEK Special Report: Securing WindowsWindows XP systems running Service Pack 2 do not appear to be affected, researchers said. Apart from installing SP2, system administrators can lessen the danger of an attack by disabling active scripting, avoiding unsolicited links that may lead to a malicious Web page and rendering e-mails in plain text, US-CERT said. Updated anti-virus programs may also be able to prevent some exploit attempts.

PointerFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

The fact that fully patched SP1 systems are vulnerable to the flaw, while SP2 systems are not, appears to show that the work put into Microsoft’s security-oriented update is paying off. A spoofing flaw in IE publicized over the weekend also affects pre-SP2 systems but is largely disabled by the service pack.

PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews and analysis.

     
Email


TALKBACK
MICROSOFT RESOURCE CENTER
Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>


SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>


Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>




 
FREE WHITE PAPER
Changing Business for the Better: A Practical Guide to BPM


This paper provides an overview of the benefits of BPM technologies and identifies the characteristics of BPM solutions that lead to successful BPM process-centric integration projects.


Download this free white paper to learn more!

>> brought to you by IBM

Attention Microsoft Solution Providers!



Want to gain a competitive edge? Try Microsoft Watch – FREE!


Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly



    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
    •  
    Topic Center Index
    Business Licensing Information Technology
    Companies Channels Resellers
    Software Management  

  • Add up to $1,200 of value with the new BONUS PACKS.
  • HP PartnerONE: The key to increasing your margins.
  • HP Compaq nc6129 Business Notebook. $1149 Smart Buy
  • HP xw8200 workstation. Smart Buy price $1549.
  • ProLiant DL360G4p server: HP Smart Buy price $1647
  • Microsoft files new anti-piracy lawsuits. Learn more.
  • New offers with Windows Genuine Advantage.

    		•

    RELATED LINKS

    NEWS

    View All >

    OPINION

    View All >
    POPULAR TOPICS
    More Topics…
    CHANNEL INSIDER BUYER’S GUIDE
    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    SOLUTION BUILDER

    View All >
    CAREER CENTER
    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice

    TECH ANALYSIS

    View All >

    CONTRACT WATCH

    View All >
    SPECIAL REPORTS
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Network
    CHANNEL RSS FEED
    Stay in the Zone
    Put The Channel Insider on your desktop.
    FREE NEWSLETTERS
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:


    view all newsletters >>

    Channel Insider      Contact Us | Advertise | Site Map

    Channel Insider Quick Links

    B2B | Compliance | Competitors | Procurement Contracts | Site Licenses | Microsoft Licenses | Certification | OEM
    Custom PC | IT Sales | Distribution Channels | Service Providers | Turnkey Integration | VAR | Microsoft Resellers
    Computer Resellers | Software Distributors | Business Management | System Integrators | Technology Partners

    Ziff Davis Footer Logo

    Ziff Davis Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters | RSS Feeds
    Tech Shop | White Papers | Tech Encyclopedia | PC Downloads | ROI Calculators | Tech Jobs
    Enterprise Product Comparison Guides | Consumer Electronics Buying Guides | Tech Podcasts | Tech Video

    1UP | Baseline | The Channel Insider | CIO Insight | Cranky Geeks | DesktopLinux | DeviceForge | DevSource
    DigitalLife | DL.TV | eSeminars | eWEEK | ExtremeTech | Filefront | GameVideos | GearLog | LinuxDevices
    Linux Watch | Microsoft Watch | PC Magazine | PCMagCasts | PDF Zone | Security IT Hub | Server IQ
    Smart Company | Technoride | Web Buyer's Guide | What's New Now | Windows for Devices

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright © 2003-2006: Ziff Davis Publishing Holdings Inc. All rights reserved. The Channel Insider is a trademark of Ziff Davis Publishing Holdings Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.