The Evil Empire: October 2004 Archives

October 22, 2004

Microsoft Internet Explorer Two Vulnerabilities

http-equiv has discovered two new vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.

Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code.
A security zone restriction error, where an embedded HTML Help control can execute local HTML documents.

The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. More... [Secunia]

Posted by Horst at 01:33 PM

October 12, 2004

Microsoft documents faulted

Microsoft wants to publish sensitive details about its software required by a court in a protected format that can only be viewed using Internet Explorer, the US government has complained. The US Justice Department and 17 states that negotiated a landmark antitrust deal with Microsoft said the company's current plan "significantly limits the practical useability" of the information Microsoft was compelled to reveal to its competitors. More... [News.com.au]

Posted by Horst at 04:58 PM

Microsoft Word Hole Could Allow DoS Attacks

Computer security firm Secunia has reported what it terms a "highly critical" vulnerability in the popular Microsoft Word desktop computer application. The firm has confirmed the existence of the hole in versions of Word as recent as Word 2000.

The problem appears to affect only documents that are opened from or downloaded from Web sites, Secunia CTO Thomas Kristensen told NewsFactor. However, the installation of the Microsoft Office suite has many options, and vulnerabilities related to local documents may exist, he added. The fix, says the company, is to open only documents from trusted sources. More... [NewsFactor]

Posted by Horst at 04:55 PM

Microsoft IE, ASP.NET holes damage image

This has been a bad couple of weeks for Microsoft. Last week MS disclosed an annoying ASP.NET vulnerability allowing attackers to gain access to protected areas of a website without first authenticating. This week we've got a new Internet Explorer vulnerability rooted in the browser's use of XML. More... [Geek.com]

Posted by Horst at 04:50 PM

Yet another IE aperture

Security advisor Gregory Guninski has discovered a security hole in Internet Explorer that was already discovered in 2002, then closed by a sucurity patch, and is now open again in current (patched) versions of Windows XP. More... [Guninski.com]

Posted by Horst at 04:46 PM

October 08, 2004

IE, Swiss Cheese of software

"Internet Explorer is the Swiss Cheese of software - it's full of holes. Holes in software are never good, but when the browser is so integrated with the OS as to be as one - you've got problems. Add to that the sheer ubiquity of the Microsoft browser, and it's no wonder IE has become the hackers' No.1 playground." Who says so? No less than the Redmond Magazine which bills itself as the Independent Voice of the Microsoft Community. More... [p2pnet.net]

Posted by Horst at 05:08 PM

Word open to hack attack

A flaw in Microsoft Word 2000, and possibly Word 2002 as well, could be used by hackers to crash PCs or perhaps run other code on the compromised machine, a security firm said this week. According to the alert, the bug in Word stems from an input validation error within document files, and if exploited could cause a stack-based buffer overflow that in turn leads to a denial-of-service (DoS) and a crash. The bug has been confirmed in Word 2000, but also reported (though not confirmed) in Word 2002, the version in Office XP. More... [iTNews]

Posted by Horst at 05:05 PM

Microsoft Probes Flaw in ASP.NET

A glitch in the platform's processing of URLs could allow intruders to access password-protected sections of a Web site simply by altering a URL. Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL. The hole involves a glitch in ASP.NET's processing of URLs, a process known as canonicalization. More... [eWeek]

Posted by Horst at 05:02 PM

October 06, 2004

IE allows mouse events to manipulate window objects and perform "drag & drop" operations

Microsoft Internet Explorer (IE) dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system. More... [addict3d.org]

Posted by Horst at 05:10 PM

HOME \| SITES \| BLOG \| ARTICLES \| VIENNA \| MUSIC \| COMPUTERS > EVIL > ARCHIVE \| ABOUT
		The Evil Empire Information about Microsoft, bugs, security holes, and dirty business tactics. Updated irregularly (about once per week)
The Evil Empire The Aardvark Speaks The Aardvark Cooks My other stuff About/Impressum About me ISSN 1726-5339 Monthly Archives: January 2005 December 2004 November 2004 October 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 Older archives		« August 2004 \| Main \| November 2004 » October 22, 2004 Microsoft Internet Explorer Two Vulnerabilities http-equiv has discovered two new vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2. Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. A security zone restriction error, where an embedded HTML Help control can execute local HTML documents. The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. More... [Secunia] Posted by Horst at 01:33 PM October 12, 2004 Microsoft documents faulted Microsoft wants to publish sensitive details about its software required by a court in a protected format that can only be viewed using Internet Explorer, the US government has complained. The US Justice Department and 17 states that negotiated a landmark antitrust deal with Microsoft said the company's current plan "significantly limits the practical useability" of the information Microsoft was compelled to reveal to its competitors. More... [News.com.au] Posted by Horst at 04:58 PM Microsoft Word Hole Could Allow DoS Attacks Computer security firm Secunia has reported what it terms a "highly critical" vulnerability in the popular Microsoft Word desktop computer application. The firm has confirmed the existence of the hole in versions of Word as recent as Word 2000. The problem appears to affect only documents that are opened from or downloaded from Web sites, Secunia CTO Thomas Kristensen told NewsFactor. However, the installation of the Microsoft Office suite has many options, and vulnerabilities related to local documents may exist, he added. The fix, says the company, is to open only documents from trusted sources. More... [NewsFactor] Posted by Horst at 04:55 PM Microsoft IE, ASP.NET holes damage image This has been a bad couple of weeks for Microsoft. Last week MS disclosed an annoying ASP.NET vulnerability allowing attackers to gain access to protected areas of a website without first authenticating. This week we've got a new Internet Explorer vulnerability rooted in the browser's use of XML. More... [Geek.com] Posted by Horst at 04:50 PM Yet another IE aperture Security advisor Gregory Guninski has discovered a security hole in Internet Explorer that was already discovered in 2002, then closed by a sucurity patch, and is now open again in current (patched) versions of Windows XP. More... [Guninski.com] Posted by Horst at 04:46 PM October 08, 2004 IE, Swiss Cheese of software "Internet Explorer is the Swiss Cheese of software - it's full of holes. Holes in software are never good, but when the browser is so integrated with the OS as to be as one - you've got problems. Add to that the sheer ubiquity of the Microsoft browser, and it's no wonder IE has become the hackers' No.1 playground." Who says so? No less than the Redmond Magazine which bills itself as the Independent Voice of the Microsoft Community. More... [p2pnet.net] Posted by Horst at 05:08 PM Word open to hack attack A flaw in Microsoft Word 2000, and possibly Word 2002 as well, could be used by hackers to crash PCs or perhaps run other code on the compromised machine, a security firm said this week. According to the alert, the bug in Word stems from an input validation error within document files, and if exploited could cause a stack-based buffer overflow that in turn leads to a denial-of-service (DoS) and a crash. The bug has been confirmed in Word 2000, but also reported (though not confirmed) in Word 2002, the version in Office XP. More... [iTNews] Posted by Horst at 05:05 PM Microsoft Probes Flaw in ASP.NET A glitch in the platform's processing of URLs could allow intruders to access password-protected sections of a Web site simply by altering a URL. Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL. The hole involves a glitch in ASP.NET's processing of URLs, a process known as canonicalization. More... [eWeek] Posted by Horst at 05:02 PM October 06, 2004 IE allows mouse events to manipulate window objects and perform "drag & drop" operations Microsoft Internet Explorer (IE) dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system. More... [addict3d.org] Posted by Horst at 05:10 PM
© Copyright 1999-2004 Horst Prillinger,

The Evil Empire Information about Microsoft, bugs, security holes, and dirty business tactics. Updated irregularly (about once per week)

October 22, 2004

October 12, 2004

October 08, 2004

October 06, 2004

The Evil Empire
Information about Microsoft, bugs, security holes, and dirty business tactics.
Updated irregularly (about once per week)