- FBI warns Hit Man e-mail scammer back
- 20 tech habits to improve your life
- Industry mourns slain Cisco exec
- 10 Firefox add-ons for better browsing
- Wireless LANs face scaling challenges
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
One week after hiding Internet Explorer attack code on his Web site, security researcher Aviv Raff has posted details on how to launch the attack.
The bug lies in the "Print Table of Links" feature, which lets IE users print out a Web page along with a list of all the links on the page tacked onto the end. Raff discovered that if an attacker added special scripting code to a Web page, he could then run unauthorized software on the PCs of IE users who printed using this feature.
The flaw affects IE 7 and IE 8, Raff said. Security vendor Secunia said that the bug also affects IE 6.
Because the hack requires that the user be tricked into following so many steps -- not only visiting a Web page, but then printing a page with this feature selected -- Secunia has rated it as a "less critical."
Raff said that the flaw could be a more serious issue if hackers were to add the code to Web pages that were frequently printed out, such as those on Wikipedia.
The bug has not been patched by Microsoft, which was notified of the issue just last week.
Raff disclosed the flaw in an unusual way, embedding it in his own Web site and then inviting other hackers to come and find it. He called this a "treasure hunt."
The Israeli hacker said that the treasure hunt idea came from a local custom of playing such games during Israel's Independence Day. The contest was won Tuesday by someone calling himself "George the Greek."
Microsoft didn't get much time to fix the vulnerability, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.
When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said.
Microsoft is thinking about putting a fix for the problem in an upcoming security update, the company said in a statement. It too downplayed the risk. "Our investigation has shown an attack would require significant user interaction," the company said. "An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful."
Though Raff's attack code has been posted to the Millworm Web site, Microsoft says it's not heard of any attacks that exploit this vulnerability.
Rss FeedRss Feed
Aging network systems and old habits have dictated how businesses spend their IT budgets. As a...
Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesThis paper reviews the problem of creating a network where the dynamic availability of services is...
Enterprise Data Center Network Reference ArchitectureUsing a High Performance Network Backbone to Meet the Requirements of the Modern Enterprise Data...
The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
Stay out of the headlines: Detecting and preventing network intrusionsHow do YOU stay out of the headlines? There is no denying that risk exists in our computer-driven...
We have so many holes punched in our firewalls today that many industry insiders question the value...
IP address management in 2008 - six things to knowRead this Network World Special Brief to learn how Enterprise IT managers must update their...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment