Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code
p2pnet - rss feed: http://p2pnet.net/p2p.rss | p2pnet celebrities: http://p2pnet.net/celeb.rss | Mobile? http://p2pnet.net/index-wml.php

Three ‘critical’ Windows flaws

p2pnet.net News:- Microsoft has released patches for three Windows security holes in its operating system, two of which it calls “critical”.

However, Secunia, which first gave news of the vulnerabilities, described all three as extremely critical.

The flaws affect versions of Windows, from NT4 and Windows 98 to Windows XP, including machines with Windows XP Service Pack 2.

The flaws, says Secunia, are:

1) Insufficient validation of drag and drop events from the “Internet” zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user’s system, which may allow execution of arbitrary script code in the “Local Computer” zone. This vulnerability is a variant of: SA12321 NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the “Local Computer” zone.

2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.

Successful exploitation may allow execution of arbitrary HTML and script code in a user’s browser session in context of arbitrary sites, or execution of local programs with parameters from the “Local Computer” zone using a HTML Help shortcut. NOTE: This will bypass the “Local Computer” zone lockdown security feature in SP2.

3) A security site / zone restriction error in the handling of the “Related Topics” command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones. NOTE: This may be exploited to bypass the “Local Computer” zone lockdown security feature in SP2.

Secunia has a browser test page here:
http://secunia.com/internet_explorer_command_execution_vulnerability_test

Microsoft says affected systems include:

  • Internet Explorer 6.0 SP1 on Windows NT Server 4.0 SP6a or Windows NT Server 4.0, Terminal Server Edition SP6
  • Windows 2000 SP3
  • Windows 2000 SP4
  • Windows XP SP1
  • Windows XP SP2
  • Windows XP 64-Bit Edition SP1
  • Windows XP 64-Bit Edition Version 2003
  • Windows Server 2003
  • Windows Server 2003 64-Bit Edition
  • Windows 98
  • Windows 98 Second Edition (SE)
  • Windows Millennium Edition (Me)

Secunia says the solution is to use another product, or, “The vendor recommends that the ‘Drag and drop or copy and paste files’ option is disabled,” and, “Set security level to high for the ‘Internet’ zone.”

===================

See:-
extremely critical - Extremely critical IE6 SP2 flaws, p2pnet, January 9, 2005

This entry was posted on Wednesday, January 12th, 2005 at 3:37 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1533 times

« previous Altnet ‘extortion’ attempt
Bad Apple next »

2 Responses to “Three ‘critical’ Windows flaws”

  1. Reader's Write Says:
    January 12th, 2005 at 6:41 pm

    theyre all critical

  2. Reader's Write Says:
    January 12th, 2005 at 10:59 pm

    At least change the fonts when you copy and paste :)

Leave a Reply
    Advertisments
Teksavvy