Saturday, December 18, 2004

A 'critical' bug in IE 6.0

The bug, which has been confirmed on a fully patched Windows XP system with IE 6.0 and Service Pack 2, could allow a scammer to display a fake Web site with all the attributes of a genuine, secure site, including the URL and the icon indicating SSL security, according to researchers.

"Ordinarily, to spoof a site you have to have some issue on the Web site that you want to manipulate, which restricts what you can do," said Thomas Kristensen, chief technology officer at an independent security firm Secunia. "Because this is embedded in IE by default, it's possible to inject content into any Web site. There's no way for a Web site to protect itself against this."

For example, you go to say, paypal.com. Following best-practices, you even look for the little padlock icon on the bottom right of your Internet Explorer, thinking the website is surely safe. Not so. With this bug exploited, the scammer/hacker can 'hijack' your browser. The address bar will show paypal.com with all its attributes but all the content will be provided by the hacker.

"After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet," Microsoft said in a knowledge base article.

The update was not included—or mentioned—in the five critical updates Microsoft released earlier this week, also mentioned in this blog.

Gary Schare, director of Windows product management at Microsoft, said it was "an unfortunate oversight" that the SP2 update was shipped without notice. Notice to whom?

Anyways, Microsoft did release a patch for the vulnerability after it was found by the security firm Secunia. The patch can be automatically downloaded through Microsoft's updates website.

2 comments:

Rafay Bin Ali said...

Name one product - related to computers, that is - 100 percent free of bugs????

Rafay Bin Ali said...

A virus is a piece of code that is also susceptible to bugs. However, the meaning of bugs in a viral (virus) context means a piece of code that does no damage.