Forum latest

New Attack Uses Internet Explorer's Own Features Against It
Security
Written by Daniel   
Tuesday, 26 January 2010 19:03

From Dark Reading

Microsoft investigating threat, considering patch or offering guidance for protection

A researcher at Black Hat DC next week will demonstrate how an attacker can steal files from a victim's machine by abusing a combination of actual features in Internet Explorer.


Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies, says popular features in IE such as URL Security Zones and IE's SMB file-sharing protocol, can together be abused in order to execute an attack that results in the attacker being able to read all files on the victim's machine. Medina plans to release proof-of-concept code for the attack next month after Black Hat DC, and after Microsoft issues a security update for the attack, which affects IE Versions 6 and above, he says.

"These vulnerabilities are just features ... the implementation of the features allow you obtain certain information which by itself is harmless. But when combined together with other features, it renders an attack vector," Medina says. The attack requires that the user click on a malicious link.

Microsoft had previously patched two vulnerabilities in URL Security Zones that were initially discovered by Core, that allow an attacker to cheat the security zones feature. But the patches don't prevent this new attack, Medina says. [More...] [Comments...]

 

 

See also

None found.


Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either