Geeks With Blogs
Markus Beamer blog

An Amazing little flaw, that could be very, very dangerous.

http://www.insert-title.com/web_design/default.aspx?page=articles/dev/danger

Holy @%&!

<button onclick="location.href=
unescape('http://www.microsoft.com%01@
insert-title.com/web_design/default.aspx?page=articles/dev/danger');">
Danger
</button>

 


Notice the address bar after clicking....

I am sure you can see very clearly why I say this is a very dangerous bug...
But in case you're not sure... imagine..

You're grandma gets an email that says it's from her bank or paypal or ebay or anywhere else you may utilize the benefits of online shopping or banking.

Why wouldn't she trust it?
Why wouldn't I?


Thanks to
ZDnet for making me aware of this

01.24.04
Microsoft has admitted that it is still unable to release a fix for a serious flaw in Internet Explorer (IE) that allows hackers to clone websites. Security experts notified the software giant about the vulnerability, exploited in so-called 'phishing' attacks, early last month.

The company was expected to solve the problem in its monthly security bulletin last week, but it failed to appear.

If Microsoft decides not to release the patch until its next security bulletin, users will have to wait until at least 10 February for a solution.

"We know, and have recorded, that there is an issue and a problem, and we are working on a patch that will be issued as soon as possible," Stuart Okin, chief security officer at Microsoft UK.

The IE flaw allows websites to be copied and passed off as the real thing. Fraudsters send emails to consumers claiming to be from a bank or other organisation, with a link to the spoofed site asking for details such as security information and passwords.

Companies hit by phishing attacks in recent months include Visa, CitiBank, Lloyds TSB, Barclays and eBay.

Okin is unclear about the progression of the IE patch, or when it will be released.

"We haven't decided if it will be out of the monthly patch cycle or within the main release. This will be based on consumer feedback," he said. Security experts believe that the flaw has serious implications that could damage consumer trust in the internet. "I think this is a major problem," said Dinis Cruz, chief technology officer at security firm CISSP.

"It has the potential to affect the amount of trust consumers have in the internet. Once you break that trust, it is very hard to get it back."
Posted on Friday, July 9, 2004 10:25 AM Developing | Back to top


Comments on this post: IE Security Flaw

# re: IE Security Flaw
Requesting Gravatar...
This is many months old (notice the "01.24.04"), and was patched fairly quickly.

Is old news still news?
Left by Rob on Jul 09, 2004 2:27 PM

# re: IE Security Flaw
Requesting Gravatar...
I'll have to check my patch updates, I just rebuilt my machine (about 3 weeks ago) and that flaw is still on my machine. *runs off to check windows updates*

MB
Left by mobeamer on Jul 09, 2004 3:30 PM

# re: IE Security Flaw
Requesting Gravatar...
actually this wasn't patched. |It's still vulnerable by calling it from shell using the same script.

It can;t be patched because IE is built into the system. Even more scary is the fact that as a result of this, it can access any other Microsoft app, database or tool on your system and run arbirtray code.

This has been noted on many sites and was the reason they issued an incorrect statement saying Mozilla was vulnerable; it is actually the underlying OS that allows any app to call any other app via a shell call.
Left by Bob Dobbes on Jul 11, 2004 9:35 PM

Your comment:
 (will show your gravatar)


Copyright © Markus Beamer | Powered by: GeeksWithBlogs.net