Alerts
'Zero-Day' Internet Explorer Flaw Detected
Date:
June 10, 2004
Severity:
High
Systems Affected:
Microsoft Internet Explorer
Overview:
It has been discovered that an adware purveyor has leveraged two security flaws (one of which was previously undetected, a "zero day") in Microsoft's Internet Explorer browser to surreptitiously install a toolbar on victims' computers that triggers pop-up ads.
One of the flaws lets an attacker run a program on a victim's machine, while the other enables malicious code to run with privileges higher than normally allowed. When combined, the two issues allow for the creation of a Web site that, when visited by victims can upload and install programs to the victim's computer.
Prevention:
Disable Active Scripting, except for trusted web sites. Alternative browsers such as Mozilla, Opera or Netscape are not subject to this attack.
Additionally, as a public service to the network security community, eEye Digital Security has developed utilities to assist with the remediation of the flaws these attacks are leveraging. To download these tools please visit:
http://www.eeye.com/html/research/tools/IESecurityRegFixer.zip
Update: These issues have now been updated by Microsoft and a patch is available.
Links:
Microsoft Security Bulletin MS04-025
CERT Advisory
This alert was last updated on August 2, 2004.
June 10, 2004
Severity:
High
Systems Affected:
Microsoft Internet Explorer
Overview:
It has been discovered that an adware purveyor has leveraged two security flaws (one of which was previously undetected, a "zero day") in Microsoft's Internet Explorer browser to surreptitiously install a toolbar on victims' computers that triggers pop-up ads.
One of the flaws lets an attacker run a program on a victim's machine, while the other enables malicious code to run with privileges higher than normally allowed. When combined, the two issues allow for the creation of a Web site that, when visited by victims can upload and install programs to the victim's computer.
Prevention:
Disable Active Scripting, except for trusted web sites. Alternative browsers such as Mozilla, Opera or Netscape are not subject to this attack.
Additionally, as a public service to the network security community, eEye Digital Security has developed utilities to assist with the remediation of the flaws these attacks are leveraging. To download these tools please visit:
http://www.eeye.com/html/research/tools/IESecurityRegFixer.zip
Update: These issues have now been updated by Microsoft and a patch is available.
Links:
Microsoft Security Bulletin MS04-025
CERT Advisory
This alert was last updated on August 2, 2004.
