Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Computer Learning -- Ignore unavailable to you. Want to Upgrade?

To: thecow who wrote (37318)	10/9/2003 8:03:29 PM
From: Elsewhere	Respond to of 110631

Internet Explorer vulnerabilities Here's a list of Microsoft Internet Explorer vulnerabilities which I picked up from the following article of a German IT information service: Sicherheitsupdates von Microsoft lassen weiterhin Lücken offen [Microsoft security patches continue to leave open holes] heise.de The article contains a link to the following site: Unpatched IE security holes pivx.com The list has been removed on the Web but posted in the discussion thread of the article. Note: some of the linked sites - especially those labeled "exploits" - might be a security risk and/or compromise the PC so try at your own risk. Media bar resource injection Description: Arbitrary file download and execution, by ability to load ressource files in a window object Reference: lists.netsys.com Exploit: ip3e83566f.speed.planet.nl file-protocol proxy Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net NavigateAndFind protocol history Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net window.open search injection Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net NavigateAndFind file proxy Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net Timed history injection Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net history.back method caching Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: safecenter.net Exploit: safecenter.net Click hijacking Description: Pointing IE mouse events at non-IE/system windows Reference: safecenter.net Exploit: safecenter.net Re-evaluating HTML evaluation dataSrc command execution Description: Allows execution of arbitrary commands in Local Zones Detail: This bug is related to the codebase local path bug, but details the actual issue and runs without scripting or ActiveX enabled Published: February 28th 2002 Reference: security.greymagic.com Example exploit: security.greymagic.com Note: See 6th May 2003 Notes. Notes September 2003: Renamed and re-added, symptom fixed instead of problem. Now demonstrates how to reach HTA functionality. Reference: msgs.securepoint.com Example exploit: malware.com Example exploit without scripting: malware.com Temporary workaround: Change the mime-type application/hta to something else ADODB.Stream local file writing Description: Planting arbitrary files on the local file system Exploit: ip3e83566f.speed.planet.nl (but unrelated to the EEye exploit) Notepad popups Description: Opening popup windows without scripting Reference: computerbytesman.com Followup: msgs.securepoint.com Note: This is just an example of the problem, this entry will be replaced when more material is published protocol control chars Description: Circumventing content filters Reference: badwebmasters.net Exploit: badwebmasters.net WMP local file bounce Description: Switching security zone, arbitrary command execution, automatic email-borne command execution Reference: ntbugtraq.com Exploit: malware.com!.html HTTP error handler Local Zone XSS Description: HTML/Script injection in the Local Zone Reference: sec.greymagic.com Exploit: sec.greymagic.com XSS in Unparsable XML Files Description: Cross-Site Scripting on any site hosting files that can be misrendered in MSXML Reference: sec.greymagic.com Exploit: sec.greymagic.com Alexa Related Privacy Disclosure Description: Unintended disclosure of private information when using the Related feature Reference: secunia.com Reference: imilly.com Basic Authentication URL spoofing Description: Spoofing the URL displayed in the Address bar Reference: msgs.securepoint.com DNSError folder disclosure Description: Gaining access to local security zones Reference: msgs.securepoint.com mhtml wecerr CAB flip Description: Delivery and installation of an executable Reference: msgs.securepoint.com WebFolder data Injection Description: Injecting arbitrary data in the My Computer zone Reference: msgs.securepoint.com codebase local path Description: Allows execution of arbitrary commands in Local Zones Hinted: June 25th 2000 by Dildog Reference: online.securityfocus.com Hinted: November 23rd 2000 by Georgi Guninski Reference: guninski.com Published: January 10th 2002, by thePull (incorrectly labeled the "Popup object" vulnerability) Reference: home.austin.rr.com Example exploit: home.austin.rr.com Note: See 6th May 2003 Notes. Web Archive buffer overflow Description: Possible automated code execution. Reference: msgs.securepoint.com dragDrop invocation Description: Arbitrary local file reading through native Windows dragDrop invocation. Reference: msgs.securepoint.com Exploit: kuperus.xs4all.nl document.domain parent DNS resolver Description: Improper duality check leading to firewall breach Published: July 29 2002 Reference: online.securityfocus.com FTP Folder View XSS Description: Elevating privileges, running script in the My Computer zone, arbitrary command execution, etc. Published: June 7th 2002 (Microsoft was notified December 21st 2001.) Reference: geocities.co.jp Exploit: jscript.dk DynSrc Local File detection Description: Detect if a local file exists, and read its size/date Published: March 27th 2002 Reference: security.greymagic.com Status: Patched in IE6 by IE6 Service Pack 1, but IE5 and 5.5 are still vulnerable. Security zone transfer Description: Automatically opening IE + Executing attachments Published: March 22nd 2002 Reference: security.greymagic.com Extended HTML Form Attack Description: Cross Site Scripting through non-HTTP ports, stealing cookies, etc. Published: February 6th 2002 Reference: eyeonsecurity.org "script src" local file enumeration Description: Enables a malicious programmer to detect if a local file exists. Published: January 3rd 2002 Reference: securityfocus.com Example exploit: jscript.dk IE https certificate attack Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime Published: December 22 2001 (Stefan Esser) Published: June 6 2000 (ACROS) Reference: security.e-matters.de Example exploit: suspekt.org Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch.