About Us | Contact Us
View Cart

A 6 year-old IE Vulnerability is Back!!

By Dan Hadaway | Wednesday, June 30, 2004 - Leave a Comment

There’s been another IE flaw brought back to the surface today. About 6 years ago there was a method an attacker could use to force their content to be shown in a frame of another site. This could allow an attacker to put their own login form into an online banking site for example, letting them harvest your username and password for your account. The issue was patched long ago, but the patch has evidently been undone.

This is mostly a reminder note. The issue in Internet Explorer that was exploited last week to infect a number of computers is still out there. Both the infected websites AND the vulnerability still exist. There isn’t a patch for it. All you have to do is browse a site with exploit code buried in it and your IE will install whatever they send you, you’ll have no indication something has happened.
This issue seems to be present again on fully patched systems. Normally this might not warrant an alert here, but the number of phishing scams that are out, we expect someone to exploit this. So if you’re using IE you might be at your own bank’s login but sending your information somewhere else.

This advisory is posted below. Your only protection is to not use Internet Explorer. We recommend Mozilla (www.mozilla.org), it’s a very good browser.

If you’re hooked on IE, never fear. We’re hearing rumors that MS may reconstitute the IE development team, presumably to begin addressing these security issues.

Original advisory:
————————-
TITLE:
Internet Explorer Frame Injection Vulnerability

SECUNIA ADVISORY ID:
SA11966

VERIFY ADVISORY:
http://secunia.com/advisories/11966/

CRITICAL:
Moderately critical

IMPACT:
Spoofing

WHERE:
From remote

SOFTWARE:
Microsoft Internet Explorer 6
http://secunia.com/product/11/
Microsoft Internet Explorer 5.5
http://secunia.com/product/10/
Microsoft Internet Explorer 5.01
http://secunia.com/product/9/

DESCRIPTION:
http-equiv has discovered a 6 year old vulnerability in Microsoft
Internet Explorer, allowing malicious people to spoof the content of
websites.

The problem is that Internet Explorer fails to stop a malicious
website from loading arbitrary content in an arbitrary frame in
another browser window. An example has been posted, which shows
arbitrary content in a frame on windowsupdate.microsoft.com.

Successful exploitation allows a malicious site to load arbitrary
content, which appears to originate from a trusted site.

This vulnerability is similar to an old vulnerability fixed by
MS98-020 in Internet Explorer version 3 and 4.

The vulnerability has been confirmed in a fully patched Internet
Explorer 6 running on Microsoft Windows XP. Other versions of
Internet Explorer may also be affected.

SOLUTION:
Do not visit or follow links from untrusted websites.

Use another browser.

PROVIDED AND/OR DISCOVERED BY:
http-equiv

OTHER REFERENCES:
http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx

Posted in Vulnerability News

Latest News
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    Trending: Awareness Posters Meet Infographics Here are the top seven posters as of the last twelve months! As always, our Awareness Posters were a hit in 2022! So we decided to run some reports to see what our most popular posters were since November 2021. As everybody loves top ten lists and contests, we thought […]