Author

Topic: Be advised! Hackers exploit new IE zero-day vulnerability (Read 1299 times)

hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Here is an interesting counter-point: IE iswas not vulnerable to CRIME attack; Firefox and Chrome arewere vulnerable until recently.

Quote
"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."

Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.

"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."

I don't use IE, but things are not black-and-white, especially not today. Don't base your views on years-old information.
member
Activity: 104
Merit: 100
Im with you guys Smiley IE is crap. But Im sure some still use it, so I just wanted to bring this to peoples attention is all.

Without IE how are we going to use ActiveX technology?  Tongue
member
Activity: 88
Merit: 10
W Investment Technology Research Center
Thanks for your information.
full member
Activity: 126
Merit: 100
Im with you guys Smiley IE is crap. But Im sure some still use it, so I just wanted to bring this to peoples attention is all.
hero member
Activity: 721
Merit: 503
Windows is famous for bad security, so is IE - why on earth would anyone use the combination on a machine storing anything of value?
legendary
Activity: 1120
Merit: 1016
090930
How can anyone still be running IE these days?

99% of common security issues (zero-days, drive-by downloads, etc) on Windows can actually be avoided pretty easily by running ANY other browser than IE and not using an admin account by default.

Also be very careful keeping up-to-date with (or outright disabling) Flash and Java
runtimes as these are the most common attack vectors.
hero member
Activity: 714
Merit: 500
Thanks for sharing.
full member
Activity: 126
Merit: 100
Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer (IE) and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.

Microsoft confirmed the IE bug, saying, "We're aware of targeted attacks potentially affecting some versions of Internet Explorer," but did not set a timetable for fixing the flaw.

The unpatched bug in IE7, IE8 and IE9 can be leveraged in Windows XP, Vista and Windows 7, according to Rapid7, the security firm that also maintains the open-source Metasploit penetration-testing toolkit.

Read more here:

http://www.computerworld.com/s/article/9231367/Update_Hackers_exploit_new_IE_zero_day_vulnerability?taxonomyId=125

I just felt this should be brought to everyones attention. I strive for security, and wanted to pass this along. I hope was able to help someone Smiley

Jump to: