[ISN] US-CERT: Beware of IE

InfoSec News isn at c4i.org
Wed Jun 30 10:24:20 EDT 2004


http://www.internetnews.com/security/article.php/3374931

June 29, 2004 
By Ryan Naraine 

The U.S. government's Computer Emergency Readiness Team (US-CERT) is
warning Web surfers to stop using Microsoft's Internet Explorer (IE)  
browser.

On the heels of last week's sophisticated malware attack that targeted
a known IE flaw, US-CERT updated an earlier advisory to recommend the
use of alternative browsers because of "significant vulnerabilities"  
in technologies embedded in IE.

"There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME-type determination, and ActiveX. It is possible to reduce
exposure to these vulnerabilities by using a different Web browser,
especially when browsing untrusted sites," US-CERT noted in a
vulnerability note.

The latest US-CERT position comes at a crucial time for Microsoft ,
which has invested heavily to add secure browsing technologies in the
coming Windows XP Service Pack 2. The software giant has spent the
last few months talking up the coming IE security improvements but the
slow response to patching well-known -- and sometimes "critical" --
browser holes isn't sitting well with security experts.

On discussion lists and message boards, security researchers have
spent a lot of time beating the "Dump IE" drum, and the US-CERT notice
is sure to lend credibility to the movement away from the world's most
popular browser.

US-CERT is a non-profit partnership between the Department of Homeland
Security (DHS) and the public and private sectors. It was established
in September 2003 to improve computer security preparedness and
response to cyber attacks in the United States.

It has been more than two weeks since Microsoft confirmed the
existence on an "extremely critical" IE bug, which was being used to
load adware/spyware and malware on PCs without user intervention but,
even though the company hinted it would go outside its monthly
security update cycle to issue a fix, the flaw remains unpatched.

US-CERT researchers say the IE browser does not adequately validate
the security context of a frame that has been redirected by a Web
server. It opens the door for an attacker to exploit the flaw by
executing script in different security domains.

"By causing script to be evaluated in the Local Machine Zone, the
attacker could execute arbitrary code with the privileges of the user
running IE," according to the advisory.

"Functional exploit code is publicly available, and there are reports
of incidents involving this vulnerability."

To protect against the flaw, IE users are urged to disable Active
scripting and ActiveX controls in the Internet Zone (or any zone used
by an attacker). Other temporary workarounds include the application
of the Outlook e-mail security update; the use of plain-text e-mails
and the use of anti-virus software.

Surfers must also get into the habit of not clicking on unsolicited
URLs from e-mail, instant messages, Web forums or internet relay chat
(IRC) sessions.





More information about the ISN mailing list