Two New IE Flaws Found
Security researchers have uncovered two more security flaws in Microsoft's Internet Explorer Web browser that could be used to install unwanted software when users visit a malicious site. Both researchers released "proof of concept" code that could serve as rough blueprints showing would-be attackers how to exploit the flaws.
Matthew Murphy, a 19-year-old security consultant and student at Missouri State University, said he released his findings because he believed Microsoft wasn't taking his research seriously enough. He said he first notified Redmond about the flaw in October.
Murphy said Microsoft may not have rushed to fix the flaw because successfully exploiting it takes some user interaction (tricking the user into clicking on a image or certain part of the screen at a precise time), and may only be exploitable on older Windows systems, such as Windows 2000, Windows ME, Windows 98, and Windows XP without Service Pack 2 installed.
The other unpatched IE flaw that came to light this week was found by Michal Zalewski and is far more dangerious, allowing bad guys to install spyware and other junk when users merely visit a malicious site. Vulnerability tracking company Secunia says it has confirmed that Zalewski's proof-of-concept exploit would allow such sites to install programs on fully patched Windows XP systems with IE 6.0 and Service Pack 2 installed.
Having a couple of unpatched IE security flaws running around wouldn't be so bad if more users were savvier about avoiding the slings and arrows of spyware. A new study by McAfee shows that most users can't tell the difference between a legitimate download site and one that tries to bundle in all kinds of adware and spyware that will send you to PC hell.
McAfee based that conclusion on the results of a new online quiz that rates your ability to spot adware-installing sites. The quiz is a clever plug for McAfee's most recent acquisition, a free browser security add-on called SiteAdvisor, which I've reviewed before.
Out of the 14,000 or so people who have taken the quiz so far, only 3 percent managed to get all of the answers correct, the company said. Heck, I only got 3 out of the eight questions right. And these aren't even the kinds of sites that are most likely to be exploiting unpatched browser flaws -- you at least have to agree to download something. The way I see it, however, if you're going around the Web and downloading cutesy free games, smiley-face icons, screensaver programs and peer-to-peer file-sharing software, you're more or less playing Russian roulette with your PC.
Still, while the screensaver and free-game sites can be faulted for getting into bed with some of the sleazier companies in the adware business, most will at least give some sort of notice before installing their junk. The sites most likely to use unpatched browser flaws to install spyware are adult Web sites and those that cater to software piracy, as well as random, poorly secured Web pages that get hacked.
And lest you think spyware purveyors only try to trick IE users, think again, dear readers. The guys over at the Sunbelt Software blog have posted a bunch of screenshots that show what can happen when you cruise the Web with unpatched versions of Firefox.
Posted by: WA2CHI | April 28, 2006 2:19 PM | Report abuse
Posted by: James | April 28, 2006 3:05 PM | Report abuse
Posted by: Bk | April 28, 2006 3:37 PM | Report abuse
Posted by: Scott | April 28, 2006 4:15 PM | Report abuse
Posted by: Steve | April 29, 2006 5:43 AM | Report abuse
Posted by: Sarah | April 29, 2006 9:11 AM | Report abuse
Posted by: Mark Odell | April 29, 2006 4:51 PM | Report abuse
Posted by: Matthew Murphy | April 30, 2006 9:06 PM | Report abuse
Posted by: Roger Myers | April 30, 2006 10:20 PM | Report abuse
Posted by: Mark Odell | April 30, 2006 11:58 PM | Report abuse
Posted by: Haroun | May 1, 2006 11:46 AM | Report abuse
Posted by: Antonio Magalhaes | May 1, 2006 12:37 PM | Report abuse
Posted by: Antonio Magalhaes | May 1, 2006 12:43 PM | Report abuse
Posted by: GTexas | May 1, 2006 5:29 PM | Report abuse
Posted by: Haroun | May 1, 2006 11:27 PM | Report abuse
Posted by: Roy | May 3, 2006 2:51 PM | Report abuse
Posted by: Allan | May 11, 2006 2:13 AM | Report abuse
Posted by: Rugby Fan Steve | August 25, 2006 5:34 PM | Report abuse
The comments to this entry are closed.