Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Virus and Vulnerability Roundup
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

0day treasure hunt: Researcher hides IE attack on Web

Aviv Raff has a strange way of celebrating Israel's 60th birthday

By Robert McMillan
Comments
7
Recommended
118

Active Comments

Mat says: It's jackass "researchers" like this that form the thin line between IT professionals and malware authors? God help us... 'cause...
Read the rest | Reply
Rimma says: Rear side. , black sexy models, [url="http://www.viddler.com/groups/sexymodels"]black sexy models[/url], http://www.viddler.com/groups/sexymodels black sexy models,...
Read the rest | Reply
All Comments (7) | Post New


May 7, 2008 (IDG News Service) Security researcher Aviv Raff has published code that would allow someone to take control of a computer running Internet Explorer, but there's a catch. He's not saying exactly where he's hidden the attack.

"Somewhere in my blog, I embedded a proof-of-concept code which exploits this 0day vulnerability," Raff wrote in a Wednesday blog posting. A 0day attack is a previously undisclosed software flaw that has not been fixed by the software maker.

The bug, which affects Internet Explorer 7 and IE 8, could allow an attacker to run unauthorized software on a victim's computer. Raff informed Microsoft of the flaw on Tuesday and the software vendor has not yet patched it, Raff said.

Microsoft didn't get much time to fix the bug, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.

When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said via instant message. "The last time I used their Responsible Disclosure policy it took them six months to fix one line of code."

For Raff's attack to work, the hacker would first have to put a small amount of HTML code on a Web site and then persuade the victim to use a specific Internet Explorer feature on that site, he said.

The Israeli hacker said that the idea of disclosing his attack in a treasure hunt came from a local custom of playing such games during Israel's Independence Day, which falls on Thursday.

Raff has put the code on his own Web site, and he will offer clues as to what people must do to trigger the flaw over the next few days. When triggered, Raff's proof-of-concept code launches two copies of Microsoft's calculator software on the victim's computer, but it could be altered to do something malicious.

Next Wednesday, he will release full details of the bug along with his proof-of-concept code.

Microsoft was unable to immediately comment for this story.


Reprinted with permission from

IDG.net
Story copyright 2008 International Data Group. All rights reserved.

Make a Comment Recommend Story Slashdot this Digg this
Print Story Send Feedback Email this Reprints

Related Content

Webcast: Real-time collaboration and development with IBM® Rational® Team Concert streamlines any project
Whitepaper: IronPort Encryption Technology: Safeguarding Business Email

CW Report: An Apple for Your Enterprise?
Safari flaw worse than first thought, Microsoft warns
Bad week for Microsoft. Browsers, OS and Boxes
Microsoft, Novell eye Moonlight beta, system management
The Apple Search Engine? I Hope Not
Microsoft: Office Web will be available from Mac, Linux, iPhone

Today's Top Stories

Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo

What People Are Saying

See comments | Add new
See comments | Add new

Resource Alerts

to receive Spam, Malware and Vulnerabilities Resource Alerts

Webcasts

The Secure Web Gateway. Mission Critical For Business

Client Security Podcast

Real-time collaboration and development with IBM® Rational® Team Concert streamlines any project

Whitepapers

Learn How to Think Ahead of Attacks and Protect your Data For the Future

IronPort Web Reputation Filters Tech Note

IronPort Encryption Technology: Safeguarding Business Email

Computerworld Reports

Compterworld Technology Briefing: Intelligent Users Use Business Intelligence

Computerworld Report- Large Enterprises Pay More for IPAM

An Apple for Your Enterprise?

Editor's Picks

Clues point to Jan. 13 release of Windows 7 beta

Microsoft releases Vista SP2 beta

Obama's DHS pick may find support for raising H-1B cap at confirmation hearing

IBM wants info from Apple execs in Papermaster case

License server glitch exposes SonicWall users to e-mail security threats

Report: Former AOL chief exec tries to raise funds to buy Yahoo

XenServer FREE trial
XenServer FREE trial
Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration.

Request free trial now

White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
The 2008 ERP in Manufacturing Benchmark Report Summary
IronPort Web Reputation Filters Tech Note
Designed to Manage Lean Principles
View more whitepapers 
 
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.