Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Thursday, September 14, 2006
New IE hole revisits an old bug
Hackers have discovered a new vulnerability in Internet Explorer, and they’ve released code that could be used to attack users of Microsoft Corp.‘s popular browser. To take advantage of the exploit code, attackers would first need to trick users into viewing a maliciously encoded Web page, but they could then run unauthorized code on a victim’s computer. Symantec calls the bug “critical,” and Secunia rates the issue as “highly critical,” its most severe rating.
The xsec.org hackers referred to their code as a 0day, meaning an exploit for a previously undisclosed vulnerability. But one well-known hacker said the flaw was not difficult to find using publicly available security tools, such as the AxMan ActiveX fuzzing software.
Moore wrote an automated ActiveX testing tool called AxMan that uncovered a handful of IE bugs, including the one exploited by on xsec.org. Although Moore recently launched a project called the Month of Browser Bugs, in which he disclosed a new browser vulnerability every day for the month of July, he said he had refrained from disclosing this particular vulnerability. “This is one of the many exploitable bugs that can be discovered using AxMan and one of the few that I didn’t include in Month of Browser bugs due to the ease of exploitation,” he said.