[VULNERABLE] Microsoft Internet Explorer

11/06/2004 - 22:31 por Ille Corvus | Informe spam
Internet Explorer Security Zone Bypass and Address Bar Spoofing
Vulnerability
http://secunia.com/advisories/11830/


Critical: Moderately critical
Impact: Security Bypass Spoofing
Where: From remote

Software: Microsoft Internet Explorer 6


Description:
bitlance winter has reported a vulnerability in Internet Explorer
(IE), allowing malicious people to bypass security zones or conduct
phishing attacks.

The vulnerability is caused due to an error within the handling of
URLs, which may cause IE to view a web site in context of another less
secure security zone than intended.

Example:
http://[trusted_site]%2F%20%20%20.[malicious_site]/

Successful exploitation may allow a web page to be displayed in
context of another domain e.g. in the "Trusted sites" or "Local
intranet" security zones. However, a malicious web site's domain has
to support wildcard DNS and accept invalid values in the "Host:"
header.

The issue can also be exploited to potentially trick users into
supplying sensitive information to a malicious web site, because
information displayed in the address bar can be constructed in a
certain way. This may lead users to believe that they're visiting
another web site than the displayed web site.

The vulnerability has been confirmed on a fully patched Windows XP
system with IE 6.0. Other versions may also be affected.

NOTE: The vulnerability may present a greater risk on systems, where
predictable domains are in the "Trusted sites" zone. This can also be
combined with other unfixed vulnerabilities to bypass mitigating
steps, where Active Scripting has been disabled for all zones but
"Trusted sites".

Solution:
Set the security level for all zones to "High" in Internet Explorer.
This will impair functionality on many web sites.

Don't follow links from untrusted sources, but input URLs manually in
the address bar.

Use another browser.



Meritorios de Filtrado (Kill-File Global):
tella llop, jm (N.B. 2003.10.25)


"El software propietario sera solo para los que lo puedan pagar."
"El software libre es para toda la Humanidad."
 

Leer las respuestas

#1 .
12/06/2004 - 01:51 | Informe spam
Esto es mas viejo que el vicio de pedir prestado y no pagar
Mas antiguo que los insultos del cuervo.

Pero esto si es reciente:
http://www.iespana.es/_hforum/forum...mId=Kaputt

El cuervo sucio subio a su rama, picoteo su carroña y dijo:
"El software propietario sera solo para los que lo puedan
pagar."
"El software libre es para toda la Humanidad."


"Los cracs son mios todos"

Preguntas similares