[Vulnerable] Microsoft Internet Explorer (CERT)

CERT: IE bug is bait for phishers
http://zdnet.com.com/2100-1105_2-5232993.html


The U.S. Computer Emergency Readiness Team (US-CERT), the Internet
security watchdog, released a security alert on Friday warning of a
flaw in Microsoft's Internet Explorer which allows attackers to run
programs on a user's computer.

The flaw is in IE's cross-domain security model, which keeps frame
content from different sources separate. This means that attackers
could run programs and view files using the privileges of the user
running IE.

Graham Cluley, senior technology consultant at Sophos, said on Monday
that there are no reports so far of viruses or hackers exploiting this
vulnerability; however, home users and businesses should be careful
while "Microsoft feverishly puts the fix together".


"The flaw is not banking-specific," Cluley said, however, phishers
could exploit the flaw to run a key logger, capturing Internet-banking
passwords typed on the computer's keyboard. Key loggers can be
installed on the computer by worms or Trojans, Cluley warned.

This is more difficult to avoid than the standard phishing attack that
involves users entering their details into a fraudulent Web site,
having been directed there by a spoofed email.

US-CERT advises that users disable Active scripting and ActiveX
controls, maintain antivirus software and do not click on unsolicited
links.

A spokesperson for Microsoft on Monday said that the company is
currently investigating this bug and will put out a patch as soon as
possible. Meanwhile they have updated their advice on how users can
"Help ward off hackers and attackers".




Meritorios de Filtrado (Kill-File Global):
tella llop, jm (N.B. 2003.10.25)


«Primero te ignoran, después se ríen de tí, para después luchar contra tí. En ese momento, has ganado. (Ghandi)»