Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.
"The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash," said Johannes Ullrich, chief research officer for the Sans Institute. "Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack...."
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.
Originally posted by: bersl2
From the ZDNet article:
Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.
"The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash," said Johannes Ullrich, chief research officer for the Sans Institute. "Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack...."
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.
Ouch.
Originally posted by: Hyperblaze
Originally posted by: bersl2
From the ZDNet article:
Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.
"The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash," said Johannes Ullrich, chief research officer for the Sans Institute. "Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack...."
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.
Ouch.
Suprised?
How about another reason to not run a web browser under the administrative security context.Originally posted by: dornick
Another win for open sauce!
Originally posted by: spyordie007
How about another reason to not run a web browser under the administrative security context.Originally posted by: dornick
Another win for open sauce!
Another win for apple sauce
Secunia link:
http://secunia.com/advisories/15546/
I'd like to think that Microsoft will fix this issue now.
From: admin@dbtech.org
Sent: Mon 11/21/2005 12:20 PM
To: bugtraq@securityfocus.com
Subject: IE BUG, Mozilla DOS?
The IE bug shown in the advisory here http://www.computerterrorism.com/research/ie/ct21-11-2005 seems to have a DDOS like effect on mozilla sending pc usage to 99 % until mozilla either crashes or gives way.
Originally posted by: astrosfan90
I thought IE was one giant security flaw...people still use it?
Originally posted by: The Linuxator
Originally posted by: astrosfan90
I thought IE was one giant security flaw...people still use it?
Yes seriously, whoever knows about alternatives (i.e firefox, opera, Konqueror, Mozilla...etc) and still uses IE deserves all the viruses that the Cyber world has to offer, why because he / she is asking for it.