Re: Serious vulnerabilities (security hole) in IE6

From: Peter Lawton (devnull_at_mydomain.com)
Date: 06/12/04

• Next message: FireBrick: "Have IE remember size and position"
• Previous message: Lester Anderson: "IE 6 slow to load web pages"
• In reply to: anonymous_at_discussions.microsoft.com: "Serious vulnerabilities (security hole) in IE6"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 12 Jun 2004 10:24:43 +0100

It looks very serious too, I disabled active scripting and active X in the
Internet zone and then came across this new vulnerability from yesterday:-

http://secunia.com/advisories/11830/

Between this one and the original ones it would probably be possible to run
the original vulnerability in the Trusted Sites zone as well as the Internet
Zone, assuming people have predictable domains in their "Trusted Sites"
zone, like microsoft.com or windowsupdate.com

So I've removed all MS sites from my trusted sites zone now, but of course
to run Windows Update I'll have open myself up to the vulnerabilities again.

I'm sure MS is working hard on a fix but it would be nice of them to
acknowledge the problem and say they are.

Would have been even nicer if MS had fixed the vulnerability, first reported
nearly a year ago,
http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html that makes the
current vulnerabilities exploitable at all.

<anonymous@discussions.microsoft.com> wrote in message
news:1b80701c45009$09716290$a401280a@phx.gbl...
> as soon as their disgruntled workers get a bonus for fixing
> the code quick when ordered too.
>
> >-----Original Message-----
> >Just want to know when MS will release the patch for it.
> >
> >
> >Very serious vulnerabilities in Internet Explorer6(IE6),
> >are reported.
> >
> >The malicious exploit code which uses those
> >vulnerabilities, is alreadyopened to the public on the
> >Internet. So, the attacker can execute an arbitrary
> >program from remoteness on PC.
> >
> >http://www.kb.cert.org/vuls/id/713878
> >
> >Thanks,
> >Jimmy
> >.
> >

• Next message: FireBrick: "Have IE remember size and position"
• Previous message: Lester Anderson: "IE 6 slow to load web pages"
• In reply to: anonymous_at_discussions.microsoft.com: "Serious vulnerabilities (security hole) in IE6"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Re: O UT LO OK E XPRE SS 6 .00 : broken ... Outlook Express is not the only vulnerable product. ... The culprit here is the codebase localPath vulnerability which was patched ... MS02-015 crippled codeBase quite severely in Internet Explorer, ... removing most of its functionality in the Internet Zone. ... (Bugtraq) Re: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken ... Outlook Express is not the only vulnerable product. ... The culprit here is the codebase localPath vulnerability which was patched ... MS02-015 crippled codeBase quite severely in Internet Explorer, ... removing most of its functionality in the Internet Zone. ... (Full-Disclosure) Re: O UT LO OK E XPRE SS 6 .00 : broken ... Outlook Express is not the only vulnerable product. ... The culprit here is the codebase localPath vulnerability which was patched ... MS02-015 crippled codeBase quite severely in Internet Explorer, ... removing most of its functionality in the Internet Zone. ... (NT-Bugtraq) [NT] Dotless IP Addresses Can Cause IE to Move into Intranet Zone ... Dotless IP Addresses Can Cause IE to Move into Intranet Zone ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The third is a new variant of a vulnerability discussed in Microsoft ... (Securiteam) 10 Month Old Vulnerability Continues to Be Core For Exploits ... Microsoft needs to decide whether THAT is in fact a ... vulnerability or a feature because without it ... For those not up on these cross zone scenarios... ... internet or restricted zone to the local zone. ... (Bugtraq)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint