Microsoft Internet Explorer Bug Allows Hackers To Read Your Email, Website Credentials & Remote Code Execution

By Angsuman Chakraborty, Gaea News Network
Thursday, June 29, 2006

Fresh security problems found in Microsoft Internet Explorer that can allow attackers to take over a system or read private information from other Web sites. One of the bugs also affects Firefox. Proof-of-concept code was released demonstrating one of the bugs.

A researcher on Full Disclosure mailing list warned of the two IE problems, the more serious of which could be used to trick users into executing code on their systems (remote code execution vulnerability). The bug is in IE’s handling of file shares, and could allow attackers to execute malicious HTA applications via a a directory traversal attack. The exploit requires users to double-click somewhere on a Web page.

The second flaw involves the way IE handles redirections, and could allow an attacker to access information from other Web sites in the context of the user, via the object.documentElement.outerHTML property.

“This vulnerability can be potentially nasty as attackers can use it to retrieve data from other Web sites the user is logged into (for example, webmail) and harvest user credentials,” said SANS Internet Storm Center handlers in an advisory.

Secunia confirmed the bug on a fully patched system running Internet Explorer 6.0 and Windows XP SP2, and published a vulnerability test based on proof of concept code published by researcher Plebo Aesdi Nael.

SANS ISC said it had also confirmed the bug in Mozilla Firefox. via TechWorld

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :