AusCERT today sent out an email advising that the recent Microsoft patch for Internet Explorer (IE) does NOT fix all outstanding vulnerabilities. It simply mitigates the effect of one of the exploits. Users of IE (on Windows, not Mac) should probably read the report (available at http://www.auscert.org.au/4173) but for those who can’t be bothered, the key points are:
AusCERT again advises that working proof of concept exploit code has been
published for all recent versions of Microsoft Internet Explorer. There
are reports of activity using this exploit. AusCERT expects this exploit
code to be utilised in the installation of trojan horse software which may
capture sensitive account details.
AND
All versions of Microsoft Internet Explorer are vulnerable and there are
currently no patches available.
IE uses the concept of ‘zones’ to decide what privileges browser content should be given. Content in a trusted zone, such as on your local computer, is given higher privileges than content located on an untrusted zone, such as on a remote webserver. The exploits trick IE in to treating remote content as if it were on your local computer, allowing unknown and untrusted code to run with the privileges of the current user.
Even if you don’t browse the web using IE, hostile email messages which are viewed using IE’s rendering engine can also run hostile code. Email clients that use IE for viewing HTML mail include Outlook, Outlook Express and Eudora.
AusCERT offers a number of suggestions as to how to mitigate the danger (see the link above) including using another web browser.
This entry was posted on Monday, July 12th, 2004 at 17:39 and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.