[G3]-Technews
[G3]-TechNews : Home| RSS | Atom | MSN | WAP

 Stickies:
Article: Step-by-Step Guide: How to set up a VPN
Article: Download: Microsoft Monad (Beta)
Article: Building a 64-Bit Multimedia Workstation
Article: Coming Soon to Windows: The Microsoft Shell (MSH)
Article: How to Reset Win NT / 2000 / XP Administrator Password
Article: The Technology Behind Dual Core CPUs
Article: How-To: Wireless Network Security
Article: Article: PCI Express - technology backgrounder
Article: Tutorial: Access Hidden Files on Your iPod
Article: Troubleshooting drivers with XP's hidden Driver Verifier Manager
Article: How to Make a 5 in 1 Network Cable
Article: Comparison - Blu-ray & HD DVD
Article: Beginners Guides Linux : Part 1 | Part 2 | Part 3
Article: How To Crack WEP (Wired Equivalent Privacy)
Article: Email Addresses Spoofing.
Link: Free PHP ebook
Link: FREE ASP.NET books and eLearning course
Link: Free registration code for Opera 8.
Invitations: Gazzag (Here) | Yahoo! 360 (Here)  | Orkut (Here)

Experts warn of trick to bypass IE download warnings
Contributed by: G3nu1n3, at 1/15/2005 08:11:00 PM.

A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.

The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer Version 6.0.0, including the version released with Windows XP Service Pack 2. The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computers using a specially-crafted HTML Web document. Microsoft officials weren't immediately able to comment on the issue.

Security software company Symantec issued a vulnerability alert about the hole today and cited Ivgi, which also provided code proving that the hole existed.

According to the Bugtraq message and Symantec alert, an Internet Explorer feature designed to catch references to file downloads doesn't detect a particular HTML event, known as "onclick," when it's combined with the common HTML Body tag, which designates the beginning and ending of the main part of a Web page.

Malicious Internet users could use the onclick event in combination with another function called "createElement" to create an IFrame, or "inline frame," which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the IFrame to a malicious Web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Cupertino, Calif.-based Symantec said.

There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec said. Internet Explorer users are advised to avoid links provided by unknown or untrusted sources in order to keep from being lured to a malicious Web site. They can also configure the browser to disable the execution of script code and active content, though doing so could have adverse effects on the way Internet Explorer functions, Symantec said.


Source: Link


Important:
To Read MOST UPDATED News Items browse to HOME page.

0 Comments:

Post a Comment

<< Home



[G3]-TechNews : Home| RSS | Atom | MSN | WAP


Archives :

- Monthly Archives :


- Post Count: 1,783 before June 1, 2005. (Since: October 26, 2004)