• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Watch out porn fans

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Watch out porn fans

    http://news.bbc.co.uk/1/hi/technology/5365296.stm

    Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser.

    Security firm Sunbelt Software said the vulnerability was being actively exploited on some porn websites.

    So far there is no fix to close the bug in the browsing program but Microsoft has issued advice about how to avoid falling victim.

    It said it would patch the bug in its next security update due on 10 October.

    Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics.

    A properly crafted webpage can exploit this problem and install almost anything they want on the target machine.

    Unusable PC

    Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs.

    Watch out RR and others.

    #2
    What!

    I Flaw in IE?

    Whatever are we going to do?
    Throw them to the lions - WC2 5.4

    Comment


      #3
      Porn using vector graphics? Must be rather naff porn!
      bloggoth

      If everything isn't black and white, I say, 'Why the hell not?'
      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

      Comment


        #4
        As long as Firefox is unaffected....
        How fortunate for governments that the people they administer don't think

        Comment


          #5
          Guess what? It's another buffer overflow exploit. No surpise there and anyone with anything to do with security and secure development will recognise this one.

          From CERT.

          Microsoft IE version 5.0 and higher support the Vector Markup Language (VML), which is a set of XML tags for drawing vector graphics. IE fails to properly handle malformed VML tags allowing a stack buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted web page with IE, that attacker may be able to trigger the buffer overflow. In addition, an attacker could deliver an HTML email message or entice a user to select an HTML document in Windows Explorer.

          On Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the /GS (Buffer Security Check) flag. However, exploits using techniques to circumvent the Buffer Security Check are publicly available.
          All it takes is a correctly built web page with a deliberately malformed VML tag or the same tag in an HTML e-mail and your PC is toast. There is currently no fix. The only solution is to use another browser and hope they dont have the same problem.

          Edit :

          Did a bit more digging and there is a work around for it.

          Microsoft Security Advisory (925568) suggests the following techniques to disable VML support:

          Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

          Modify the Access Control List on Vgx.dll to be more restrictive

          Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.
          So basically cripple your existing browser or use a different one.
          Last edited by DaveB; 25 September 2006, 12:28.
          "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

          Comment


            #6
            Luckily Microsoft are totally focussed on security. A patch is coming out in October, so all we have to do is stop using the Internet for a month.

            HTH
            First Law of Contracting: Only the strong survive

            Comment


              #7
              IE ?

              Not me I prefer a Night at the Opera

              www.opera.com

              Comment


                #8
                Originally posted by _V_
                Luckily Microsoft are totally focussed on security. A patch is coming out in October, so all we have to do is stop using the Internet for a month.

                HTH
                Technically, all we have to do is stop surfing for porn for a month, which is almost as bad...
                His heart is in the right place - shame we can't say the same about his brain...

                Comment

                Working...
                X