e-mail
password
Our Mixtapes Our Mixtapes   Podcasts Site Updates   Help Help   Contact Contact
Forums » Top Talk » Current News » Microsoft warns of IE flaw, turns PC into public file server
Reply Post New Thread 
This thread has 1 replies and has been viewed 109 times Thread Tools Search this Thread
  #1 (permalink)  
Old Posted: 02-06-10 at 11:53 AM
Coolio_G's Avatar
O.G.
$oCcEr FrEaK
Posts: 2,067
Rep Power: 25000
Respect: 24953780
  
Microsoft warns of IE flaw, turns PC into public file server
Twitter Facebook MySpace MySpace MySpace MySpace
Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.
The vulnerability was discussed in depth at this week's Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for the browser. Here's the official description of the briefing: "In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed."
Users running a version of Internet Explorer that does not have Protected Mode, or users who have decided to disable Protected Mode, are exposed to an attacker who can access files with an already known filename and location. Versions affected include Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. Microsoft made sure to note that Protected Mode prevents exploitation of this vulnerability and is running by default for IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Redmond also underlined that it is currently unaware of any attacks trying to use the vulnerability and is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for February 9, 2009, but we're not likely to see a patch out that soon. As always, Microsoft is recommending users upgrade to IE8 (the company urged users to upgrade away from IE6 and XP after hacks affecting IE6 last month).
In the meantime, the software giant listed five mitigating factors for the vulnerability:
  • Protected Mode in IE7/IE8 on Windows Vista and later limits the impact of the vulnerability.
  • In a Web-based attack scenario, an attacker could host a webpage that is used to exploit this vulnerability or do so via a webpage that accepts or hosts user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites and would have to convince them to do so, which is typically achieved via an e-mail or instant message.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.
  • By default, all supported versions of Outlook, Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Microsoft outlined three workarounds in the security advisory. The first is to modify Internet Explorer's settings: set the Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones. The second suggests configuring Internet Explorer to prompt before running Active Scripting or disabling Active Scripting completely in the Internet and local intranet security zone. The third one is to enable Internet Explorer Network Protocol Lockdown for Windows XP. It requires editing the Windows registry, but thankfully Microsoft has created a "Fix it for me" for this workaround, available at KB 980088. Just click the "Fix this problem" link and you're good to go. The Fix It automates Network Protocol Lockdown and can be run on individual systems and deployed by enterprises through their automated systems.





Microsoft warns of IE flaw, turns PC into public file server
__________________


Reply With Quote
  #2 (permalink)  
Old Posted: 02-06-10 at 07:50 PM
4 CORNER HUSTLA's Avatar
Administrator .... Also the owner. This cold hard hustla is better known as the Boss of The Avenue.
www.avenuempire.com
Posts: 6,583
Rep Power: 25000
Respect: 114970253
  
and that is probably another good reason why i don't use, and haven't used IE for a good year or so. FF all day

Who's givin this post recognition
Coolio_G Propped:
__________________

OTA Promotional Banners: www.offtheave.com/promote.php

* OTA 'XBOX 360 WORLD' GROUP
* My OTA Shirt
* My 96 Chevy Caprice Classic.

xbox live: avenuempire | playstation network: avenuempire
Reply With Quote
Reply Post New Thread 

« “Pants On The Ground” Activist Survived Klan Shooting | Pat Robertson Tied To Liberian War Criminal, Charles Taylor »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Members who have read this thread : 7
4 CORNER HUSTLA_ADMIN, Coolio_G_O.G, Flawless_MOD, GI Player_G-MOD, krakaman_MOD, sweet_sensation_GODDESS, ^RuMaR-_G-ADMIN
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 7 born from Vista's frustrations sh@dyunit Current News 0 10-22-09 06:06 PM

Powered by vBulletin® Version 3.8.2 Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.

RSS MySpace Facebook Twitter
Copyright © Off The Ave 2010 - All Rights Reserved. Off The Ave is a branch of the AvenuEmpire
All material found on this site belongs to Off The Ave unless otherwise stated.
Off The Ave is a haven for Hip Hop R&B Songs. We are leading pioneers in the latest Hip Hop Underground scene. Join for Music Rap Songs, Music Rap Videos & more!
Hip Hop R&B Songs - Rap Hip Hop Forums - Rap Hip Hop News - Music Rap Videos - Hip Hop Drum Samples - Rap Hip Hop Battles - Rap Hip Hop Freestyles
We at Off The Ave are united through more than just our common interests in Hip Hop R&B Songs. For some Hip Hop R&B Music is just something to listen to, for us it forms the foundation of our commitment to a movement that is defined by its creativity & passion. While on Off The Ave, you will find that we focus on the deep-seeded passion for the Hip Hop Underground culture. This passion includes Rap Hip Hop Forums, Music Rap Videos, Rap & Hip Hop Music Lyrics, Hip Hop Underground, Rap Hip Hop Beats, Rap Hip Hop News, Rap Hip Hop Freestyles and much more.

We have a very diverse selection of topics to which is cultivated through our own knowledge and understanding in Hip Hop R&B Music enthusiasm. Along with a sense of greater achievement, we succeed to do so for the Hip Hop Underground scene.