[log in to unmask] ----- Original Message ----- From: [log in to unmask] To: undisclosed-recipients: Sent: Saturday, March 31, 2001 9:56 AM Subject: (no subject) From Wired News, available online at: http://www.wired.com/news/print/0,1294,42750,00.html IE Hole Surrenders Your Computer by Michelle Delio 8:00 a.m. Mar. 30, 2001 PST A dangerous security hole has been discovered in Microsoft's Internet Explorer. Spanish security expert Juan Carlos Cuartango discovered the hole, which allows attackers complete access and control over any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5. An attacker can gain control of another user's machine using an HTML-formatted e-mail with an attachment that contains a small remote-control program. The e-mail can be sent directly to the victim, or can be placed on a website. Unlike previous e-mail-activated attacks, the victim of this attack does not have to download the e-mail or click on the attachment for it to work. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a website, and a user opens the e-mail or visits the website, Internet Explorer automatically runs the excecutable program on the user's computer. Typically, attackers will exploit the hole by sending a provocative e-mail to prospective victims in an attempt to lure them to the malicious website. Once a computer has been compromised, the attacker -- working from a remote location -- can do anything the computer's owner could do on the machine. "This is the biggest Microsoft Internet Explorer vulnerability I have ever discovered," said Cuartango, who details the hole and its ramifications for Windows computer users on his Spanish-language website. Microsoft was not immediately available for comment, but has released a "critical" security alert as well as a patch to fix the hole. Microsoft strongly advises "all customers using Microsoft Internet Explorer to install the patch immediately." The company says full documentation of the problem will be posted by Saturday. Cuartango said he alerted Microsoft to the problem on Feb. 14. "Microsoft responded immediately and their security team also started working immediately to produce a fix," he said. Related Wired Links: Inside Russia's Hacking Culture Mar. 12, 2001 Got a Virus? Blame the Tightwads Feb. 28, 2001 Earthlink Slow to Admit Attack Feb. 21, 2001 The Internet: It's Full of Holes Feb. 6, 2001 The Greatest Hacks of All Time Feb. 6, 2001 Security Mavens Invaded by Trojan Feb. 1, 2001 A Bad Day for Microsoft Sites Jan. 24, 2001 Web Privacy, Security Weighed Dec. 9, 2000 How MS Helped With Own Hack Oct. 27, 2000 Scary Hole Found at ZKey Aug. 18, 2000 Hacker Finds Hole in Netscape Aug. 7, 2000 Copyright (C) 1994-2001 Wired Digital Inc. All rights reserved. ---------------------------------------------------------------------- To sign-off Parkinsn send a message to: mailto:[log in to unmask] In the body of the message put: signoff parkinsn