CompUSA Back 2 School Laptop deals!
|
|
|
Is it time to leave Internet Explorer behind?
Microsoft's popular Web browser is riddled with security holes--some of which the software giant has yet to patch. How can you protect yourself?
|
By Robert Vamosi
(2/13/02)
(2/13/02)
The upside of having one software company design all your applications is that it's easy to make them all interoperate. The downside is that if one program breaks, it might break another seemingly unrelated program as well. Take, for instance, Internet Explorer. You wouldn't think a problem in Internet Explorer 6 could compromise your privacy in MSN Messenger 4.x, but, up until recently, it could. And, unfortunately, a new patch from Microsoft does not plug all of the browser's security holes.
As first reported by CNET News.com last Friday, malicious users could gain access to MSN Messenger's e-mail addresses and contact lists under the right conditions.
| Unfortunately, a new patch from Microsoft does not plug all of the browser's security holes. |  |
|
Messenger was designed to share certain information with JavaScript- or VBScript-enabled Web sites. Only the domains Microsoft.com, Hotmail.com, and Hotmail.msn.com should be able to see Messenger's e-mail addresses and user contact lists. Those access rules are hard-coded into Messenger itself. However, according to a post by software engineer Richard Burton on BugTraq, a clever user could gain full access to MSN Messenger information through the Windows System Registry at Hkey_Local-Machine\Software\Microsoft\MessengerService\Policies\Suffixes, under the values Suffix0, Suffix1, and so on.
For some reason, Microsoft provided these empty, additional suffixes and did not bother to write-protect them; as a result, malicious users could just add their domain to Suffix0 and gain access to the contact info. Burton notes that adding .com to Suffix0 allows all sites with the .com extension to share MSN Messenger e-mail address and user list information. For a working example of this vulnerability, click here. A fix for MSN Messenger should be available later this week.
Yet an even greater danger exists when the above-mentioned MSN flaw is combined with a vulnerability in Internet Explorer 6. Together, these two security holes allow malicious users to hijack your Messenger account and impersonate you online.
First reported in mid-December, this so-called document.open vulnerability also allows malicious users to read cookie data on other sites. Normally, cookie data should be accessible only to the site issuing a cookie; that site should not be able to read other sites' cookies.
| Together, these two security holes allow malicious users to hijack your Messenger account and impersonate you online. | |
|
For working examples of the document.open exploits, see The Pull, and for an example of the MSN hijack, click here.
Patching the security holes
Fortunately, Microsoft issued a security bulletin, MS02-005, to address six Internet Explorer 5.01, 5.5, and 6 vulnerabilities, including the document.open flaw and a flaw first reported on January 1 by software engineer Georgi Guninski. Called the IE GetObject() vulnerability, the flaw Guninski found allows malicious users to read local files or execute rogue programs on your computer. Guninski points out on his Web site that this isn't the first vulnerability to affect GetObject() and Internet Explorer. My guess is it won't be the last.
The recent Microsoft security bulletin also addresses a variant of the iFrame vulnerability, which allows malicious code to execute automatically in Outlook and Outlook Express, a favorite of recent virus Badtrans.B and others. Rounding out the Microsoft package are fixes for buffer overruns in HTML directives, the ability to change filenames upon download, and the ability to run malicious scripts in applications such as Access 2000, even if the user has disabled scripting.
Still, MS02-005 does not patch all the reported vulnerabilities within IE 6. Software engineers Tom Gilder and Thor Larholm have documented other vulnerabilities in the browser. So, what can you do when no patch is available? Guninski suggests that you disable Active Scripting and avoid using Internet Explorer while surfing the Net. Given the abundant vulnerabilities, that's not such a bad idea.
Would you stop using Internet Explorer because of all its security holes? TalkBack to me!
 |
Next steps |
| |
| |
•
Find a DSL connection in your area
• Download security and encryption apps
• Make sure your computer is up-to-date with CNET CatchUp
• Download security and encryption apps
• Make sure your computer is up-to-date with CNET CatchUp
Associate Editor Robert Vamosi covers viruses and security threats for CNET. Questions or comments? Let us know.
