US-CERT Warned About Vulnerability in Internet Explorer
A security alert has been issued by the US-CERT on the method IE manages document frames (including the most famous IFRAMES).
The flaw is same as found in earlier versions of IE in which the browser fails to check if a target frame comes from site carrying harmful links. If an attack is conducted successfully, the site might install harmful data into the frame of a reputed site. The researchers also claimed that an error in IE makes it vulnerable to attacks.
Also, US-CERT advisory alerted that the browser does not prohibit access to a document's frame, leaving it vulnerable to attacks. The US-CERT also informed that the attack could allow grabbing of keystrokes while a user is communicating with a web page in a separate domain.
The US-CERT said that unfortunately, there is no patch available for the flaw. It advised that the users should immediately disable the Active Scripting in the Internet Zone.
Yet another flaw discovered in IE 6 makes the browser vulnerable to cross-domain scripting attacks. As per Secunia, a Danish vulnerability-cleaning house, the flaw was founded by the researchers along with Ph4ntOm Security Team and it exists in input validation error. Secunia gave a moderate rating to the error. Users are advised to install the IE 7.
The advisory informed that although this attack has not produced violent results, it enables the frame of Web pages to be replaced with harmful data. By assuring the user that he will witness a specially designed HTML document (for instance - a web page or an HTML mail message), an attacker can easily use non-domain certain elements from a web page that is present in a separate domain. For example, an attacker can grab keystrokes while a user is communicating with a web page in a separate domain.
Communication Manager for Microsoft Security Response, Bill Sisk said that Microsoft is, currently, examining reports of a possible flaw in IE. The company does not have any knowledge of any attacks attempting to access the claimed flaw or of user impact, as reported by InformationWeek on June 30, 2008.
Related article: US Passes Baton to Asia in Spam Relay
» SPAMfighter News - 21-07-2008