1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.
  2. A secção Microsoft/Windows encontra-se actualmente em processo de reestruturação.
    Remover anúncio

viva o Internet Explorer - mais uns buguis

Discussão em 'Windows Desktop e Surface' iniciada por Andr0m3da, 17 de Maio de 2002. (Respostas: 0; Visualizações: 1038)

  1. Andr0m3da

    Andr0m3da Power Member

    Madrid, May 16 2002 - Microsoft has released a patch (*) to correct six
    vulnerabilities in Internet Explorer versions 5.01, 5.5 and 6.0. This
    security update resolves some issues which could allow code to be run on
    affected systems and it is therefore advisable to install it, where
    necessary, as soon as possible.

    The first vulnerability is a cross-site scripting issue, and lies in the
    HTML pages that Internet Explorer installs by default and are run in the
    local computer zone. An attacker could in effect, craft a web page, hosted
    on a server or sent by e-mail, which, when the web page was viewed and the
    user clicked on the URL link, would inject script which would run in the
    Local Computer zone.

    The second problem stems from the object that supports CSS files (Cascading
    Style Sheets) and could allow a web page or HTML mail to be created which
    could read a user's system files. In order to exploit this, the attacker
    would need to know the exact location of the files and would not be able to
    carry out any action other than reading them.

    The third vulnerability could allow an attacker to construct a cookie that
    could contain script for reading or modifying cookies from other sites. As
    in the previous case, to exploit this vulnerability, the attacker would need
    to know the exact name of the cookie stored on the user's system.

    The fourth problem resolved by this Microsoft patch is related to the
    Internet Explorer security zones, as it is possible to create a web page and
    force it to be run in the "Intranet" zone, less commonly, the "Trusted
    Sites" zone. As these areas have less security restrictions, it may be
    possible to carry out potentially dangerous actions.

    The last two vulnerabilities are variants of a previously resolved one, and
    affect how IE handles downloads when a downloadable file's
    Content-Disposition and Content-Type headers are intentionally malformed. As
    opposed to the earlier vulnerability, these can only be exploited if the
    system has certain applications installed.

    Microsoft has also included an improvement to the Restricted Sites option
    based on blocking the use of frames. In this way, by default, an HTML e-mail
    is prevented from opening a new window automatically or launching the
    download of an executable.

    The patch is available from:
    http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp

    (*)Full details on the vulnerabilities and the Microsoft patch are available
    from: http://www.microsoft.com/technet/security/bulletin/MS02-023.asp
     

Partilhar esta Página