“Security researchers have raised the alarm for a series of unrelated, high-risk vulnerabilities in Microsoft Corp.'s Internet Explorer and the open-source Mozilla browsers.
According to a Secunia advisory, the most serious IE flaw could be exploited by a malicious hacker to hijack a vulnerable machine, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP SP2.
For its part, Microsoft has confirmed it is investigating a "Click and Scroll" issue in IE and has posted a temporary workaround to protect users from the flaw.
In a Knowledge Base article, the software company said the bug could make it possible for an attacker to put a malicious file on a PC if a user visits a Web site.
Microsoft recommends that users install the most recent cumulative fix for IE and disable the "drag-and-drop" or "copy-and-paste files" option across a domain.
Another unpatched IE flaw could allow an embedded HTML Help control on a malicious Web site to execute local HTML documents or inject arbitrary script code.
A third vulnerability exists in the handling of the "Related Topics" command in an embedded HTML Help control. Secunia said this bug can be exploited to launch harmful script code in the context of arbitrary sites or zones.
Secunia has posted a vulnerability test online to demonstrate the flaws.
The updated IE warning comes on the heels of a Bugtraq advisory for multiple flaws in Mozilla, Firefox and Thunderbird products.
The Mozilla Foundation has rolled out new versions to patch the holes, which range from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.
According to the advisory, a potentially exploitable buffer overflow was discovered in the way Mozilla and Firefox handle NNTP URLs.
Also fixed is a way of spoofing filenames in the "What should Firefox do with this file" dialog-box option.
"A remote attacker could craft a malicious NNTP link and entice a user to click it, potentially resulting in the execution of arbitrary code with the rights of the user running the browser," the advisory read.”
http://www.eweek.com/article2/0,1759,1749293,00.asp?kc=ewnws011005dtx1k0000599
Posts
No comments:
Post a Comment