IE bugs keep coming

Thursday, 10 July 2003, 2:18 PM EST

Microsoft issued a patch Wednesday for a critical vulnerability in most versions of Windows that gives attackers remote control of a user's machine though Internet Explorer. But if the results of a new survey are any guide, most users won't install it.

The bug is a buffer overflow in an HTML conversion library used by a number of Windows programs, including Internet Explorer, and by extension Outlook and Outlook Express. To exploit it, an attacker tricks a victim into visiting a specially-crafted malicious Web page, or -- a more likely approach -- sends an Outlook user an HTML-formatted e-mail with the attack code embedded within.

A Russian hacker called "Digital Scream" reported the hole over Bugtraq on June 22nd, and other security researchers subsequently analyzed the vulnerability and produced a proof-of-concept exploit. With no advance warning, it took Microsoft seventeen days to release a patch -- not a unreasonable amount of time given the complexity of the problem, says Marc Maiffret, a founder of California-based security vendor eEye. "Since it is a component that is shared, and is not just used within Internet Explorer, it's a lot harder to test that the patch works with everything."

[ Read more ]


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th