Network News

X My Profile
View More Activity

Two New IE Flaws Found

Security researchers have uncovered two more security flaws in Microsoft's Internet Explorer Web browser that could be used to install unwanted software when users visit a malicious site. Both researchers released "proof of concept" code that could serve as rough blueprints showing would-be attackers how to exploit the flaws.

Matthew Murphy, a 19-year-old security consultant and student at Missouri State University, said he released his findings because he believed Microsoft wasn't taking his research seriously enough. He said he first notified Redmond about the flaw in October.

Murphy said Microsoft may not have rushed to fix the flaw because successfully exploiting it takes some user interaction (tricking the user into clicking on a image or certain part of the screen at a precise time), and may only be exploitable on older Windows systems, such as Windows 2000, Windows ME, Windows 98, and Windows XP without Service Pack 2 installed.

The other unpatched IE flaw that came to light this week was found by Michal Zalewski and is far more dangerious, allowing bad guys to install spyware and other junk when users merely visit a malicious site. Vulnerability tracking company Secunia says it has confirmed that Zalewski's proof-of-concept exploit would allow such sites to install programs on fully patched Windows XP systems with IE 6.0 and Service Pack 2 installed.

Having a couple of unpatched IE security flaws running around wouldn't be so bad if more users were savvier about avoiding the slings and arrows of spyware. A new study by McAfee shows that most users can't tell the difference between a legitimate download site and one that tries to bundle in all kinds of adware and spyware that will send you to PC hell.

McAfee based that conclusion on the results of a new online quiz that rates your ability to spot adware-installing sites. The quiz is a clever plug for McAfee's most recent acquisition, a free browser security add-on called SiteAdvisor, which I've reviewed before.

Out of the 14,000 or so people who have taken the quiz so far, only 3 percent managed to get all of the answers correct, the company said. Heck, I only got 3 out of the eight questions right. And these aren't even the kinds of sites that are most likely to be exploiting unpatched browser flaws -- you at least have to agree to download something. The way I see it, however, if you're going around the Web and downloading cutesy free games, smiley-face icons, screensaver programs and peer-to-peer file-sharing software, you're more or less playing Russian roulette with your PC.

Still, while the screensaver and free-game sites can be faulted for getting into bed with some of the sleazier companies in the adware business, most will at least give some sort of notice before installing their junk. The sites most likely to use unpatched browser flaws to install spyware are adult Web sites and those that cater to software piracy, as well as random, poorly secured Web pages that get hacked.

And lest you think spyware purveyors only try to trick IE users, think again, dear readers. The guys over at the Sunbelt Software blog have posted a bunch of screenshots that show what can happen when you cruise the Web with unpatched versions of Firefox.

By Brian Krebs  |  April 28, 2006; 11:30 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: MS Expands Anti-Piracy Program, Reissues Patch
Next: Hired Internet Gun Sentenced to Two Years


Despite running Mozilla with all the latest patches, AdAware, Spybot Search & Destroy, and Norton Anti-Virus on my son's computer, he managed to load it with THOUSANDS of unwanted adware files. Although they found and quarantined or deleted hundreds of files, the only program I could find that could make his machine run properly again was Webroot, which was free through my MSN account. It is still blocking attacks every few seconds from a site called

Posted by: WA2CHI | April 28, 2006 2:19 PM | Report abuse

Okay, so the 'test' you're advertising (why do that?) gives you a score, but doesn't tell you what you got wrong or even whether you were overly cautious or underly so. The screenshots don't contain enough information to make the assessments for which they are asking and there's no option to say so. It's really nothing more than an advertisement.

Your way of looking at it is equally worthless, however. While I have no interest in smilies and such either, there's clearly a market for them. Spyware peddlers will target whatever is popular, and the lesson can't be "Don't look for things that teenagers want".

Posted by: James | April 28, 2006 3:05 PM | Report abuse


After I finished the quiz, it pointed out which ones I got wrong, so I don't understand your complaint there. Also, I think their idea was to show that it isn't easy to tell the difference just by looking at them. I'm guessing that you didn't read the review I wrote of SiteAdvsior a while back (it's linked in the above post), but the whole point of that software was that it could help you make informed decisions about the safety of sites that turn up in search engines BEFORE you click on them or download anything from them.

Posted by: Bk | April 28, 2006 3:37 PM | Report abuse

I also scored three out of eight, but I don't think the quiz was quite fair. In its explanations of my results, McAfee showed how their software had detected the presence of various spyware and other items that would not be visible just from glancing at a chunk of the home pages. So we didn't have access to the full behind-the-scenes information that the anti-spyware program did, and we couldn't be expected to see things that are not immediately apparent "with the naked eye".

Posted by: Scott | April 28, 2006 4:15 PM | Report abuse

One factor that seems to be often overlooked in Windows security issues is that of the file system. If you run with FAT32 you have no file protection; if you run with NTFS you have file protection, if it is set up correctly (and Windows is not to clever at ownership and protection changes of a user's My Document folder structure). So running as a limited user account has restrictions but does not give you the needed protection if you no do not have NTFS file structure. I don't know who is playing Russian roulette. Sometimes it is clearly the user but other times I wonder if Microsoft have allowed Administrator accounts too many rigts and priviledges.

Posted by: Steve | April 29, 2006 5:43 AM | Report abuse

On the quiz, I scored five out of eight, first go which makes me a Tightrope walker! Still, not bad for someone who doesn't (generally) know the difference between P2P and Playstation 2! Seriously, you can sometimes tell by the feel(sight) of a site whatever is the baddie or the goodie but not every time. That's why I am totally bundled by the most-up-to date software possible, mostly recommended by Mr Krebs himself. Us tightrope walkers can't be too careful!

Posted by: Sarah | April 29, 2006 9:11 AM | Report abuse

Brian, you linked to an explanation of the second vulnerability, but not the first:

>>only 3 percent managed to get all of the answers correct, the company said. Heck, I only got 3 out of the eight questions right.

Here's what's wrong with their evaluation:

Posted by: Mark Odell | April 29, 2006 4:51 PM | Report abuse

The link posted above is not correct. It links to an older vulnerability report that I made in February. The new vulnerability reporrt is here:

Posted by: Matthew Murphy | April 30, 2006 9:06 PM | Report abuse


We had conversed before about Kodak's security practices.

This time I'd like to bring to your attention, one of the latest Microsoft Security patches:
"Windows Genuine Advantage Notification"
While I have no problem with what Microsoft is trying to do with this software i.e., check to see if you have valid licence of MS Software...
What does bother me is that they keep reminding me to down load and install this software... That is ...
This is stated in their own information that they provide you Before you install it the software.
I'm sorry Microsoft -- I am not a guiney pig. I can wait for the REAL THING...

Roger Myers

Posted by: Roger Myers | April 30, 2006 10:20 PM | Report abuse

Thank you, Matthew; I stand corrected.

From that link:
>>This situation is particularly serious on Windows Server 2003 RTM, Windows XP Service Pack 1, Windows 2000, and other older OSes, because prompting to allow ActiveX installation is still done via a modal dialog on those systems. On these systems, successful exploitation of this condition allows software installation as the logged on user.

Then they approach the right answer:
>>* Set security settings to "Enable" or "Disable" rather than "Prompt"

. . . except that's not a "workaround".

Posted by: Mark Odell | April 30, 2006 11:58 PM | Report abuse

I refer to item "Posted by: Steve | April 29, 2006 05:43 AM...If you run with FAT32 you have no file protection; if you run with NTFS you have file protection" >> For computer technology and Computer language DUMMY like me, please lead me to Where there are details, STEP-BY-STEP, that teach to set my computer for the FAT32.

Posted by: Haroun | May 1, 2006 11:46 AM | Report abuse

Dear Brian,
MS made the IE7 beta version available bu I am still concerned to down;oad it without causing unrepairable side effects to my system which is a Win XP with SP2 and a Office 2003 using its Outlook 2003!
Please give me your opinion!
Much appreciated

Posted by: Antonio Magalhaes | May 1, 2006 12:37 PM | Report abuse

Dear Brian,
I still use IE 6.0.9 ~ with SP2 update, MS made IE7 beta cersion, but I have not yet downloaded! I use in a reasonable way some adult sites!
What do you recommend?
My system is XP with SP2

Posted by: Antonio Magalhaes | May 1, 2006 12:43 PM | Report abuse


Our Public Library converted to a new IE version, at least it has tabbed browsing so I think it's new. The version is still showing 6...

Anyway, it really messed up the Washington Post Editorial page -- everything is blocked and sequential and it takes several minutes to scroll down.

Just thought you might like to know.

Posted by: GTexas | May 1, 2006 5:29 PM | Report abuse

This post is a CORRECTION to my earlier ones on item Posted by Mr.Steve /April 29/ 2006 05:43 AM. "If you run with FAT32 you have no file protection; if you run with NTFS you have file protection" >> My comment or rather QUERY is: For computer technology and Computer language DUMMY like me, please lead me to Where there are details, STEP-BY-STEP, that teach to set my computer for the NTFS and not FAT32 as I earlier posted. Thank you

Posted by: Haroun | May 1, 2006 11:27 PM | Report abuse

The comment about Windows Genuine Advantage Notification fails to mention something important. The EULA says that Microsoft will collect information about your Hardware and Software! It also says that Microsoft will share this information with Third Party Vendors! I would say that this is Spyware! I think it has very little to do with preventing piracy. Of coarse, this is my opinion!

Posted by: Roy | May 3, 2006 2:51 PM | Report abuse

I have installed free software products from Comodo, which runs in the above specified OS, if my windows has got flaw would that run down my system slow?

Posted by: Allan | May 11, 2006 2:13 AM | Report abuse

Rugby players spend a lot of time physical training Compared to other form of sports.I have read the
Rugby laws mentioned on this site. It's a gripping sport which targets the grip strength and the active mindedness of a player. American football and rugby league are also primarily collision sports, but their tackles tend to terminate much more quickly. For professional rugby, players are often chosen on the basis of their size and apparent strength and they develop the skill and power over the passage of time. In modern rugby considerable attention is given to fitness and aerobic conditioning as well as basic weight training.

Posted by: Rugby Fan Steve | August 25, 2006 5:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company