Microsoft flaws let in porno pop-ups...
By Robert Lemos
Published: 10 June 2004 09:05 GMT
An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week.
One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a website that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.
The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.
"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."
Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.
The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups - mainly pornographic ads, according to an adware advisory on antivirus company Symantec's website.
On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."
The flaws could let any attacker with a website send an email message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.
Robert Lemos writes for News.com
Security still top of their agenda eh?
Craig
Hmmm... Think this infected my computer last week...
Nigel
I gussed it was a security flaw in IE, at least it...
Kevin
Integration Architect/Manager Websphere MQ,WMQ,WMB, Message Broker Location: London Salary: 50,000 - 70,000 Company: ANSON MCCADE Job type: Permanent ...
Telesales Executive, Advertising and Media, Lincoln 14,000 to 16,000 Basic, 24,000 OTE realistic in Year One Fantastic sales role that is ideal for a ...
Advertising Campaign Manager required for my Central London based Client, an exciting independently owned company leading the field in the ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Is Your Enterprise Architected for Tomorrow's Growth?
Improving IT service delivery through an integrated approach to software asset management...
TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...
Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy