Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 07, 2016, 02:19:16 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: *URGENT* Patch IE security flaw (31 January 2011)  (Read 3774 times)

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,258
    • View Profile
    • Coding Snacks by Lanux128
    • Read more about this member.
    • Donate to Member
*URGENT* Patch IE security flaw (31 January 2011)
« on: February 01, 2011, 05:10:22 AM »
BBC ran this news about a "newly-discovered flaw in Windows that could be used by malicious hackers to steal private information or hijack computers". it seems that Microsoft has issued a software patch while a long-term fix is in the works. The patch can be found here.

firefox_01_02_2011_001.png

http://www.bbc.co.uk.../technology-12325139

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,409
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #1 on: February 01, 2011, 05:33:30 AM »
Thanks for the heads up  :up:

fenixproductions

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 1,184
    • View Profile
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #2 on: February 01, 2011, 07:04:22 AM »
Quote from: MS
Published: January 28, 2011
It is always amazing for me to see how some news are picked up as "super new" when actually being few days old.

Or maybe other people just have life and not keep reading Internet all of their time ;)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,714
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #3 on: February 01, 2011, 07:41:18 PM »
Glad I don't use IE. Thanks for bringing this to our attention. :Thmbsup:


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #4 on: February 01, 2011, 09:32:11 PM »
^ But do you have it on your machines?  Because of certain sites, I have to have it on my machine for work.  I don't actively use it unless I'm using those sites... but still it's there...

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,714
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #5 on: February 01, 2011, 10:27:21 PM »
^ But do you have it on your machines?  Because of certain sites, I have to have it on my machine for work.  I don't actively use it unless I'm using those sites... but still it's there...

Yes, I have it on my machines, and there are certain websites (usually government ones!) that require IE to be used. That's why I'm glad it was brought to my attention.


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #6 on: February 01, 2011, 11:01:56 PM »
From the MS Security Advisory (Mitigating Factors and Suggested Actions):

Quote
In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.

So once again it's only those who blindly click away at anything that are (actually vulnerable) affected.

Microsoft Security Advisory (2501696)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #7 on: February 02, 2011, 03:58:52 AM »
From the MS Security Advisory (Mitigating Factors and Suggested Actions):

Quote
In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.

So once again it's only those who blindly click away at anything that are (actually vulnerable) affected.

Microsoft Security Advisory (2501696)

My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #8 on: February 02, 2011, 06:50:32 AM »
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?

Now, that is an interesting question... While I'd be inclined to say no - exploit should have no effect if sent to the wrong page processor - I'm not entirely sure. But I've always had an aversion stubby links.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #9 on: February 02, 2011, 12:38:33 PM »
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?

Now, that is an interesting question... While I'd be inclined to say no - exploit should have no effect if sent to the wrong page processor - I'm not entirely sure. But I've always had an aversion stubby links.

NPR had a talk with the head engineer (or some such title) at bit.ly.  She said that there was inbuilt protection against this, using a combination of whitelists/blacklists and heuristics... if a link is questionable (it's not in either of these lists) it goes to a list to be manually checked... but they only have 20 people *total* so there is a window where a potentially malicious link is waiting to be checked and in the wild.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: *URGENT* Patch IE security flaw (31 January 2011)
« Reply #10 on: February 02, 2011, 02:53:39 PM »
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?

Now, that is an interesting question... While I'd be inclined to say no - exploit should have no effect if sent to the wrong page processor - I'm not entirely sure. But I've always had an aversion stubby links.

NPR had a talk with the head engineer (or some such title) at bit.ly.  She said that there was inbuilt protection against this, using a combination of whitelists/blacklists and heuristics... if a link is questionable (it's not in either of these lists) it goes to a list to be manually checked... but they only have 20 people *total* so there is a window where a potentially malicious link is waiting to be checked and in the wild.

Oh great, we're screwed...  :D