New security flaw in Outlook, IE

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-942980.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
July 10, 2002, 5:25 PM PT

A Danish security researcher warned users of Microsoft's Internet
Explorer, Outlook and Outlook Express applications that a recently
discovered software flaw could leave their system open to malicious
code carried on Web pages or in e-mails.

In an advisory released Wednesday, Thor Larholm, a security researcher
and partner at risk-assessment company PivX Solutions, warned that
HTML objects embedded in Web pages and e-mails could carry code that
allows an attacker to check out victims' cookie files, read their
documents, and execute programs on their computer.

The bug, known as a cross-domain scripting flaw, was discovered on
June 25, and information about it has been posted on several security
lists since then. Larholm also informed Microsoft of the bug the day
it was discovered.

"Since this is possibly very publicly known...I have decided to
release this advisory after only two weeks time," Larholm said in the
warning.

Microsoft thought Larholm had overstated the seriousness of the flaw.  
"Thor's advisory doesn't make it clear that there are significant
mitigating factors associated with the issue," said a company
representative, adding that people who limited their browsing to
trusted sites would be safe as would people who had installed one of
the software giant's patches for its e-mail clients.

The company chose to lambaste Larholm for disclosing the flaw too
quickly. "It's a shame that Thor chose to publicize this issue before
the patch could be completed, because by doing so, he's significantly
increased the risk to customers," the representative said.

The amount of information disclosed about a flaw, and how fast
consultants make the disclosure, has been a point of contention
between software makers and the bug finders based at security
companies. Recent research suggests, however, that the corporate
customers who suffer from software maker's slipups actually want flaws
disclosed more quickly.

Hackers and security experts frequently find software flaws in
Microsoft's Internet Explorer. In June, Microsoft released a patch for
an IE flaw that allowed attackers to run code on a victim's computer
by exploiting links to an old pre-Web protocol known as Gopher. The
month before that, the company released a patch for IE that fixed six
different flaws.

To repair the current problem, Larholm recommended that users disable
ActiveX in the security settings for Internet Explorer, or run IE and
Outlook in "Restricted" mode, at least until Microsoft releases a
patch.

Microsoft said a patch will be available soon.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.