Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another MS Internet Explorer Security Hole

Posted by timothy on from the ever-onward dept.

chkorn writes "Michal Zalewski detected another security issue in Microsoft's Internet Explorer. With a well formed FRAME or IFRAME tag a Buffer Overflow happens and you can execute bad code on the stack. In his announcement on Bugtraq, he added a proof of concept and explained that all Internet Explorer 6.0 versions are affected, except Windows XP SP2 installations."

5 of 18 comments (clear)

  1. implementation by alatesystems · · Score: 4, Informative

    I tried it on an xp SP1 box and it just freezes it.

    I tried it on Mozilla 1.7.3 and it freezes it for about a minute, and then unfreezes and shows a blank IFRAME.

    If you want to try it w/o extracting and all that stuff, click here.

    Chris

  2. Another MS security hole... by SimianOverlord · · Score: 2, Insightful

    ...already patched by Microsoft. Really, I swear half their security problems just come from clueless users not keeping up to date on patches. How hard is it to turn on Windows Update for chrissakes?

    I think this artificially inflates Linux et al.'s security record to some degree, as Linux / other OSs administrators are more likely to be up to date, being generally more technically savvy.

    --
    Meine Schwester ist sehr, sehr reizvoll - Nietzsche
    1. Re:Another MS security hole... by eyepeepackets · · Score: 3, Interesting

      "...half their security problems just come from clueless users..."

      Yes, but isn't that one of Microsoft's main selling points with Windows, that users don't need a clue, just run it and MS takes care of the rest, the great Toaster Oven of operating systems?

      "How hard is it to turn on Windows Update..."

      Most of the Windows users I run into who aren't updated are afraid to update because the last time they tried that it hosed their systems. Some few have never heard of Windows Updates.

      "...Linux / other OSs administrators are more likely to be up to date..."

      Well yeah, but some of us are just plain lazy too. *inn*

      Ciao.

      --
      Everything in the Universe sucks: It's the law!
  3. not so important these days by swright · · Score: 3, Informative

    Over 30% of web traffic is from XP SP2 now (UK traffic at least).*

    SP2 is meant to stop this kind of stuff happening. People are installing SP2.

    This is good, and a step forward - in a few weeks it's looking like it'll be over 50%.

    I don't mean to winge, but pre-SP2 security holes don't seem newsworthy to me...

    (* the company I work for runs tracking/surveying code on lots of UK commercial/retail web sites - we're seeing 3-5% per week increase in SP2 traffic, last week it went over 30% of total traffic)

  4. Re:Hmmm... by GreatDrok · · Score: 3, Interesting

    For those of us forced to use Windows at work and who are using anything other than XP SP2 this is an issue. There is no fix for Win98, ME, or 2K despite the fact that these are all in heavy use still and likely to continue for the moment. I have actually installed Firefox on this machine despite the fact that I am not supposed to for the simple reason that I just can't trust IE and I have to use the web to perform my job.

    Just sticking your head in the sand and saying people should patch their systems is not going to help when MS has decided that the features of IE on XP SP2 are not going to be back ported to IE on other platforms. If anything, this can only drive more people into the arms of Firefox et al.

    --
    "I have the attention span of a strobe lit goldfish, please get to the point quickly!"