About us
Contact us
RSS
Newsletters
Blogs
Video
Follow us on Twitter
EVENTS
TOPIC AREAS
RESOURCE CENTRE
News
16 May 2008
'Treasure hunt' ends after hacker releases IE attack code
One week after hiding Internet Explorer attack code, security researcher Aviv Raff has posted details on how to launch the attack.
The bug lies in the "Print Table of Links" feature, which lets IE users print out a web page along with a list of all the links on the page tacked onto the end. Raff discovered that if an attacker added special scripting code to a web page, he could then run unauthorised software on the PCs of IE users who printed using this feature.
The flaw affects IE 7 and IE 8, Raff said. Security vendor Secunia said that the bug also affects IE 6.
Because the hack requires that the user be tricked into following so many steps - not only visiting a web page, but then printing a page with this feature selected - Secunia has rated it as a "less critical."
Raff said that the flaw could be a more serious issue if hackers were to add the code to web pages that were frequently printed out, such as those on Wikipedia.
The bug has not been patched by Microsoft, which was notified of the issue just last week.
Raff disclosed the flaw in an unusual way, embedding it in his own website and then inviting other hackers to come and find it. He called this a "treasure hunt."
The Israeli hacker said that the treasure hunt idea came from a local custom of playing such games during Israel's Independence Day. The contest was won Tuesday by someone calling himself "George the Greek."
Microsoft didn't get much time to fix the vulnerability, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.
When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said.
Microsoft is thinking about putting a fix for the problem in an upcoming security update, the company said in a statement. It too downplayed the risk. "Our investigation has shown an attack would require significant user interaction," the company said. "An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful."
Though Raff's attack code has been posted to the Millworm website, Microsoft says it's not heard of any attacks that exploit this vulnerability.
Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!
<<newer article | back to index | older article>>
close
close
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
close
- This article is now being printed.
close
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
close
What is this?
Click below to add ''Treasure hunt' ends after hacker releases IE attack code' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Recent Techworld features
- Can Linux distros survive Chrome OS?
- Will Chrome force a rethink on Windows?
- Vendors start making progress towards cloud communication
- Unified communications arena gets more crowded
- Say 'No' to SQL
Recent Techworld reviews
- Office 2010 (Preview)
- AutoSave Encrypt
- VSS Monitoring 4x24 Distributed Filter Tap
- LG XD1 eSATA drive
- Asterisk 1.4
Latest PC Advisor news
- How to get the right updates to protect your PC
- Microsoft, Yahoo deal imminent
- Microsoft shock drops Windows 7 discount
- PC Advisor September 2009 cover disc - Kaspersky
- Apple needs netbook quick warns IDC
WHITE PAPERS
- Seven Ways ITIL Can Help You in an Economic Downturn
Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound. - Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper. - Ten tips on security for your business
Security of your customer data and business information is vital, this guide covers the essential issues in an easy to understand straight-forward way. - Business Continuity - Are you always open for business?
Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how. - A guide to understanding hosted and managed messaging
Messaging has become absolutely critical to the operation of most enterprises and has become something of a utility, much like electricity or water provision in certain key respects. Learn more with this Osterman research whitepaper.
Techworld topic pages
|
|
- About Techworld | Contact | Privacy Policy | About IDG | All contents © IDG 2009 | webmaster@techworld.com
- Infoworld | Networkworld | Tecchannel | Techworld Netherlands | IT World Canada
