<script language="jscript">
var oWin=open ("blank.html","victim","width=100,height=100");
[Cache line here]
location.href="http://google.com";
setTimeout(
function () {
[Exploit line(s) here]
},
3000
);
</script> Applicability Microsoft Internet Explorer versions 5.5 and 6 are vulnerable; earlier versions are not. IE6, even with SP1 installed, is still vulnerable to the external and clipboardData vulnerabilities, but not to the other seven Please note: GreyMagic Software warns that AOL Browser, MSN Explorer, and any other software using the IE engine from 5.5 or 6 will also be vulnerable to attacks making use of these exploits There is a report that upgrading IE 5.5 with SP2 will fix the vulnerabilities in that version, but you'll probably have to wait for a complete evaluation by Microsoft before having total confidence in that solution Risk level -- critical All but one of these vulnerabilities is rated as critical by GreyMagic because they can expose content on users' computers to the systems attacker or allow the attacker to run software on the compromised system Mitigating factors Although attackers would need to know the exact name and location of the files they want to copy, this isn't a significant mitigating factor because Windows stores some critical files, such as password information, in standard locations Fix GreyMagic Software recommends that you disable Active Scripting until Microsoft produces a patch for these vulnerabilities. GreyMagic has published a quick online test you can use to determine whether your software is vulnerable to any of these nine exploits of the object caching flaw Final word Some people have a problem with the way GreyMagic releases news of vulnerabilities. But I have been following its actions for some time, and it really did try working with Microsoft in the past. Unfortunately, GreyMagic didn't have much success getting the vulnerabilities it discovered patched in what it considered a timely fashion. In some cases, Microsoft took as long as six months to respond Via e-mail, GreyMagic told me, "We believe that the users have a right to know about vulnerabilities in popular software and take action in protecting themselves using the suggested workarounds while Microsoft is working on a patch." Since this approach also lets attackers know about vulnerabilities, I'm not certain I fully support this instant disclosure policy. On the other hand, I can certainly understand GreyMagic's frustration, waiting around for weeks or even months for Microsoft to deal with serious vulnerabilities The fact that GreyMagic also releases workarounds at the same time greatly mitigates any blame that might fall on the company for releasing information about the vulnerabilities before Microsoft releases patches It's also important to point out that many crackers already know about many vulnerabilities and exploit them before they are disclosed to the general public. Often, the only people who don't know about these vulnerabilities until they are published are Microsoft's security team, script kiddies, and network admins who are far too busy patching holes in software to test the underlying code themselves Some companies warn Microsoft well in advance of public release. Some don't. Some used to but don't bother any longer. Until Microsoft begins to respond more quickly to serious threats contained in its software, I think it's reasonable for companies to try different approaches, if only to see which one puts the most pressure on Microsoft to patch dangerous vulnerabilities.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
