[Deep Fury]

M$i java kalad, neli neist on parandadatud, ülejäänud siiani m$i hoolimatuse tõttu augustist lappimata Traitorous computing indeed.

http://online.securityfocus.com/archive/1/290966

1) URL parsing error
Impact: impersonating a web site, cookie theft

2) Stack overflow in class loader
Impact: most likely only DoS

3) File path discovery
Impact: finding out the current directory and username

4) INativeServices memory access
Impact: reading memory space, may lead to delivery and execution of any code

5) INativeServices clipboard access
Impact: any applet can get or set the contents of clipboard

6) file:// codebase when using shares
Impact: any applet may get global file read access

7) StandardSecurityManager restriction bypassing
Impact: bypassing package access restrictions

8) com.ms.vm.loader.CabCracker
Impact: An applet may load any local .cab archive

9) Problems with HTML object passed to Java applets via JavaScript
Impact: unknown

10) HTML <applet> tag may be used to bypass Java class restrictions
Impact: unknown

[ihvike]

Tõstke käsi, kellele mõni sellistest IE aukudest kunagi mingit tegelikku kahju on tekitanud (välja arvatud lappide tõmbamiseks kulunud ajakadu ). Augud niikuinii igal pool. Ja see, et IE-l neid tihti leitakse on äkki hoopis hea?

[Deep Fury]

[TzigaLind]

[Deep Fury]

m$ lapib IEd juba pikemat aega mitu lappi korraga, siin siis jälle 6 paika. Teema ei vääri ju uut threadi selle jaoks ;(

Cumulative Patch for Internet Explorer (Q328970)
(November 20, 2002)

Affected Software:
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0

Vulnerability identifiers:
- Malformed PNG Image File Failure: CVE-CAN-2002-1185
- Encoded Characters Information Disclosure: CVE-CAN-2002-1186
- Frames Cross Site Scripting: CVE-CAN-2002-1187
- Temporary Internet Files folder Name Reading: CVE-CAN-2002-1188
- Cross Domain Verification via Cached Methods: CVE-CAN-2002-1254
- Improper Cross Domain Security Validation with Frames: CVE-CAN-2002-1217

End User Buletin: http://www.microsoft.com/security/security_bulletins/ms02-066.asp

[Deep Fury]

Lisaks:

Cumulative Patch for Internet Explorer (Q324929)
Originally posted: December 04, 2002
http://www.microsoft.com/security/security_bulletins/ms02-068.asp

"A security vulnerability has been identified in Internet Explorer that could allow an attacker to compromise your Windows-based computer and, possibly, read files on it"

[olka]

offtopic
nuujah kui siin tuli jutuks juba ie6 ja tema java support siis minul igatahes on installitud sp1 windowsxp-le ja kõikvõimalikud update-d aga jippie males jookseb java all browser kolinaga mõnikord kokku ja aru ma ei saa milles point on. Installitud on veel kõikvõimalikud javapluginad jne.

[ihvike]

[olka]

[ihvike]

[Deep Fury]

Et mis siis Security Researcher uuest m$i lapist arvab.
Btw IEs on hetkel 18 turvakala, millest 6 tõsisemat klassi Way to go m$ ...


Following the release of the cumulative MS02-066 patch from the previous
week, Microsoft has released yet another cumulative patch for Internet
Explorer - MS02-068, which can be found at
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp

The sole vulnerability that MS02-068 patches is the "external object
caching" vulnerability discovered by GreyMagic Software. The rater
surprising aspects of this bulletin is the extensive downplaying of severity
and the incorrect mitigating factors.

Microsoft has given this vulnerability a maximum severity rating of
"Moderate". Great, so arbitrary command execution, local file reading and
complete system compromise is now only moderately severe, according to
Microsoft.

Moving on to the technical description, we see yet more inaccuracies. The
entire first paragraph is a falsum:

"Exploiting the vulnerability could enable an attacker to read, but not
change, any file on the user's local computer. In addition, the attacker
could invoke an executable that was already present on the local system. The
attacker would need to know the exact location of the executable, and would
not be able to pass parameters to it. Microsoft is not aware of any
executable that ships by default as part of Windows and, when run without
parameters, could be dangerous. "

Allow me to rephrase:
Exploiting the vulnerability could enable an attacker to perform any action
on the local computer that the user being exploited can perform. This
includes, but is not limited to, reading and changing any file on the user's
local computer, forcefully placing arbitrary files on the system in any
location and invoking any executable on the system both with and without
parameters.

Further down we find yet more inaccuracies:
"Without the ability to pass parameters, it's unlikely that an attacker
could do much. For instance, although the attacker could run the command
prompt, he couldn't pass a command (e.g., format c to it. "
"This vulnerability provides no way for an attacker to transfer a program of
their choice to the user's system. "

Since we can already create and execute arbitrary command scripts on the
machine, I fail to see how the above can be remotely accurate. Accomplishing
this is as simple as creating and executing an automated FTP script, or
merely recreating an EXE file from an embedded string in the HTML.

Microsoft are very much aware of this, and even modified the MS02-066
bulletin (following the post from GreyMagic on Bugtraq) to provide
assistance in mitigating how the HTML Help control can execute commands in
the local zone.

It seems like Microsoft are deliberately downplaying the severity of their
vulnerabilities in an attempt to gain less bad press. It sure would look bad
to release 2 critical cumulative updates in just 2 weeks, but that is
exactly what has been done. As it stands now, the bulletin is released and
most journalists willing to comment have already noticed the "Moderate"
label and the extensive list of (incorrect) mitigating factors, and quite
likely will not write anything on just how severe this really is. I doubt
most people care to read the revisions to the bulletin that will come later.

There are currently 18 unpatched publicly known vulnerabilities in Internet
Explorer, of which I have labelled 6 as severe.

http://www.pivx.com/larholm/unpatched/


Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

[Deep Fury]

Unustasin mainida et ms02-66 kirjeldab ka kala pngfilt.dll (version 6.0.2600.0 and prior) failis, ehk siis avades spetsiaalselt muuudetud päisega png faili (a la pilt internetis) saab pahalane jooksutada ohvri masinas suvalist tarkvara.

"By supplying a carefully crafted memory management header, we
can alter any 32-bit address to which we have write access in Internet
Explorer’s virtual address space"

http://www.microsoft.com/security/security_bulletins/ms02-066.asp
http://www.eEye.com