Security experts have identified a modified exploit that can target computers running Windows XP SP2.
Although the exploit is tricky to perform, it combines two vulnerabilities in Internet Explorer 6 with a series of ActiveX exploits to break security settings in computers running SP2. It runs when a user moves a file or an image from one part of a Web page to another, but in the process the exploit downloads code to machines that circumnavigates Local Computer security settings in SP2.
Researchers at Danish security company Secunia have labelled the vulnerability as "highly critical" because it allows hackers to access local resources and bypass security features in Windows XP SP2.
"This is the most serious vulnerability for SP2 that we have the moment," said Thomas Kristensen. "The problem is that by exploiting this vulnerability in IE it's possible to drag a file into the local security zone and change the settings. On an SP2 system, this shouldn’t be a problem, but it is still possible to bypass the security with an Active X control."
The company pointed out that Windows XP SP2 does not run Active Scripting in the Local Computer zone, but by performing a series of Active X exploits it is possible to bypass those setting in SP2.
"It's a series of events you have to perform before you are able to bypass security settings," said Kristensen. "It is complicated. But they are several minor issues that can be compromised so it's possible to circumnavigate the security settings."
Kristensen added that SP2 was supposed to tightly lock down the security issues with IE 6, but this was clearly a compromise in it security. He said that the solution was to disable the drag-and-drop or copy-and-paste options on Internet Explorer and set the security level to "high" in the Internet zone.
Talkback
There's that word again. ActiveX is mentioned in nearly every story about an IE flaw. Why don't they just get rid of the damn thing like the Mozilla team did?
ActiveX can be useful (when used appropriately), but if it's causing all these problems then the logical solution is to eliminate it from the affected software. Or if it's that vital to the running of websites and so on, why not create a secure alternative from scratch?
I draw attention to Mozilla, where the code has been developed by a fresh team of developers, building from the ground up. Microsoft aren't the only people guilty of constant updating as opposed to a proper redevelopment. Take a look at Norton-there haven't really been any major changes to the product-it's just last year's software with a new name, wrapper, serial number and a few engine tweaks.
It still takes up so much CPU time - that's been a feature of NAV for years - shouldn't they have sorted that by now?
No matter how complex a flaw is, someone will do it.And then write a script/program that makes it easier and faster for others.
Guaranteed.
I think is sad that you tell the world about a severe flaw in SP2, yet the advertisment on the same page tells you to "click here to download and evaluate SP2 now".
If "IE" is for "Intranet Explorer" most of ActiveX flaws were the things no to be considered. Now we have alternatives, such as Firefox, for safer surfing on the Internet.
Im sick and fuckin tired of havin to download fixes from MS for IE - MS sort ur fuckn shit out!
Windows XP Service Pack 1 is far much better than SP2, and it doesn't even support my plug and play scanner, and it doesn't even monitor my NAV 2004, so what would be the solution to all this stuff and cuz its really bothers me.
With every update, M$ seems to sort one flaw and pave the way for another. It reminds me of botched code: taking patch after patch, while none of them are big/comprehensive enough to seal the proverbial wound from which hackers and coders can exploit our systems. Lets face it, its only a matter of time before a really, really big exploit gets found before the M$ techies find it, and then we're in trouble.
--
Monopolise, Isolate and Deprive.
--
New catchphrase anyone?
Would you buy a car that coughs and splutters every day, needs extra bits and is STILL unreliable; ALL American produce is deliberately designed that way - Quick to market, no quality or reliability, just a fast ‘buck’. Corporate Short-term’ism is being exported - and the UK is inexorably following – Commercially, in the labour market and Socially. We are all doomed.
I am using Windows XP SP2 Ok There is a flaw, how could I plug up the gap, any idea?help. Thanks