New Flaws Discovered on IE, Office

Six new vulnerabilities, the most serious of which could enable an attacker
to execute commands on a user’s system, were discovered in Internet
Explorer, Microsoft’s Web browser.


Among the six new flaws are three whose threat Microsoft has designated as
“critical” for client systems.


The first vulnerability, which was originally addressed by the company in
June of this year, could enable an attacker to take any action on another
system that the system’s legitimate user could take. The problem stems from
an Unchecked Buffer in Gopher Protocol Handler.


The Gopher protocol is a legacy protocol that provides for the transfer of
text-based information across the Internet. An unchecked buffer exists in a
piece of code that handles the response from Gopher servers, making it
possible for an attacker to attempt to exploit this flaw by mounting a
buffer overrun attack through a specially crafted server response.


Another flaw that poses a “critical” threat is a buffer overrun in legacy
text formatting ActiveX control. The vulnerability, discovered by Next
Generation Security Software could allow an attacker who successfully
exploited it to gain the ability to take any action on a user’s system that
the user himself could take. This could enable the attacker to run programs,
communicate with web sites, reformat the hard drive, or take other actions.


Such an attack could be exploited by hosting a specially constructed web
page on a web site, or by sending such a web page to another user as an HTML
mail.


According to Microsoft’s report, for an attack of this manner to occur, the
user would have to allow ActiveX controls to run on the user’s system. In
IE’s security settings, by default, web pages in the Restricted Sites Zone
cannot run ActiveX controls. This turns out to be significant in the case of
an attack via HTML mail vector, as by default, some programs, such as
Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites
Zone.


The final threat can allow one web site to access information in another
domain, including the local system, making it possible for a web site to
read files on the local file system that can be rendered in a browser, or to
invoke executables on the local file system.


The vulnerability is caused by improper cross-domain verification when the
Object tag is used in a particular manner.


The remaining three less serious IE flaws are: a vulnerability that could,
under certain conditions, enable an attacker to read certain types of data
files on another user’s system; a vulnerability that could enable an
attacker to misrepresent the origin of a file offered for download; and a
new variant of a vulnerability that could allow an attacker to cause script
to be run in the Local Computer Zone.


A patch covering all of the newly discovered vulnerabilities is available
for download here.


The software giant, who has been plagued with security flaws, also released
another “moderate threat” warning about an unchecked buffer in Network Share
Provider that could allow an attacker to crash the system of a target
machine by sending a specially crafted packet request to a computer. Patch
information for this vulnerability, which affects Microsoft NT 4.0
Workstation, Windows 2000 Professional, Windows 2000 Server, Windows 2000
Advanced Server and XP Professional is available here.


Microsoft additionally released a new vulnerability patch to its Service
Pack 2 for Office XP, initially released earlier this
week
, addressing Three vulnerabilities in several ActiveX controls in
Office Web Components, the most serious of which could allow an attacker to
run commands on the user’s system. Each of the vulnerabilities is caused by
implementation errors in specific methods and functions the controls expose,
and could be exploited either via a web site or an HTML mail. SP2 is
available for download here.

News Around the Web