Critical IE vulnerability remains unpatched

by John McCormick | Dec 05, 2005 5:58:00 PM

Tags: Web browsers, SECURITY, John McCormick, Microsoft Internet Explorer, vulnerability, window, IT Locksmith Newsletter

Takeaway: Microsoft still hasn't patched a serious Internet Explorer vulnerability, and malicious hackers are taking advantage of the fact. In addition, a remote code execution threat has surfaced in Real Networks RealPlayer. Get the details about these and other security issues in this edition of the IT Locksmith.

Redmond may be the only one ignoring the critical Internet Explorer vulnerability: Secunia has posted more information about the threat, and a Trojan horse that takes advantage of the vulnerability has also surfaced.

Details

The Internet Explorer vulnerability that I focused on in my last column still remains unpatched at the time of this writing. And attackers are taking advantage of Microsoft's sluggishness.

Reports surfaced last week of malicious software on the Web that exploits the security flaw to download a Trojan horse to vulnerable computers. And that's in addition to the already available exploit code on the Web.

Secunia Advisory 15546 classifies the threat as an extremely critical vulnerability that affects fully patched IE 6.0 on Windows XP Service Pack 2 and IE 6.0 on Windows 2000 SP4 systems. It also apparently affects IE 5.5.

This vulnerability has received the MITRE/CERT candidate reference number CAN-2005-1790, which lists the following references:

• BUGTRAQ:20050528 Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
• BUGTRAQ:20050530 Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
• BUGTRAQ:20051121 Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explorer JavaScript Window() Vulnerability
• FRSIRT:ADV-2005-2509
• SECTRACK:1015251
• SECUNIA:15546

This is a JavaScript threat triggered when the window() function calls and initializes malicious code. Here is the example listed by Secunia:

<body onload="window();">

Meanwhile, according to SecurityFocus.com, eEye Digital Security has discovered a remote code execution threat in multiple versions of Real Networks RealPlayer, which affects several Windows versions as well as some UNIX and Linux versions. While no reports of exploits have surfaced yet, the widespread use of RealPlayer and the large number of versions affected (most, perhaps all, versions through 10.5) could make this a serious threat.

In any case, this vulnerability bears monitoring for any potential fix that Real Networks makes available. So far, I haven't seen any response from Real Networks to the report, which first posted on November 30.

Final word

On the more general security front, the 9-11 commission is openly discussing how badly the federal government has responded to the most glaring vulnerabilities that the panel exposed in its July 2004 report. Personally, I expected exactly what happened in New Orleansâ€"which many view as a dress rehearsal for a major terrorist attack.

Several years ago, I resigned a post as an emergency management coordinator because of the wasting of 9/11 funds. Essentially, I had no way of communicating with emergency workers and therefore no way of coordinating disaster response because I couldn't get a radio with the right frequencies.

The exact situation exists today. This is a major failing that the federal government could have easily addressed with a tiny portion of the billions of dollars since spent on homeland security.

While this may not specifically involve computer security, the failure to prepare adequately for a major, credible, and known threat is indicative of the government's overall attitude toward security concerns in general. And that's particularly alarming with so many of the Internet's central elements based in the United States. Remember: It doesn't take a direct threat to the Internet's infrastructure to cause a major disruption.

---

Also watch for...

• To learn more about the vulnerability patched somewhat controversially in Microsoft Security Bulletin MS05-051, check out FrSIRT advisory ADV-2005-2048, which features some code.
• FrSIRT has also posted an advisory (ADV-2005-2348) that offers some details of the Windows Metafile remote exploit addressed by Microsoft Security Bulletin MS05-053.
• OpenPKG has patched a critical vulnerability for Lynx, which affects OpenPKG versions 2.3, 2.4, and 2.5.
• SuSE has addressed multiple critical remote code execution threats related to multiple vulnerabilities in netpbm, opera, inkscape, apache2-worker, enigmail, sylpheed-claws, phpMyAdmin, and gnump3d. These vulnerabilities exist in all SuSE products.

---

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

dummy post apotheon | 12/06/05

My two cents ChaserSecurity@... | 12/06/05

Use this patch poitrasjohn@... | 01/04/06

great apotheon | 01/04/06

my two bits.. Jaqui | 12/06/05

You MS hating SOB!!!!!!!!!!!!!!!!! HAL 9000 | 12/06/05

what if computers actually worked? Tech Locksmith | 12/07/05

Yes MS is a real Cash Cow HAL 9000 | 12/07/05

and Jaqui | 12/07/05

You evil MS hating Geek Jaqui HAL 9000 | 12/08/05

blah blah blah todbran@... | 12/14/05

If I where you I'd watch out using HAL 9000 | 12/15/05

January, first issue... Tech Locksmith | 01/04/06