[LUG.ro] [OT ] Para reirse un rato de los agujeros de IE

[Juan Martin]

Hola a todos.
Perdonen el OT y disculpen si ofendi a alguien con el
asunto, ya que varios usamos todavia M$ window$

De tantos agujeros parece un colador

Aca el link
http://www.internetnews.com/security/article.php/3374931

Aca la nota


June 29, 2004 
US-CERT: Beware of IE 
By Ryan Naraine 

The U.S. government's Computer Emergency Readiness 
Team (US-CERT) is warning Web surfers to stop using 
Microsoft's Internet Explorer (IE) browser.
On the heels of last week's sophisticated malware
attack 
that targeted a known IE flaw, US-CERT updated an
earlier 
advisory to recommend the use of alternative browsers 
because of "significant vulnerabilities" in
technologies embedded in IE.
"There are a number of significant vulnerabilities in
technologies 
relating to the IE domain/zone security model, the
DHTML object 
model, MIME-type determination, and ActiveX. It is
possible to 
reduce exposure to these vulnerabilities by using a
different Web
 browser, especially when browsing untrusted sites,"
US-CERT 
noted in a vulnerability note.
The latest US-CERT position comes at a crucial time
for Microsoft
 , which has invested heavily to add secure browsing
technologies 
in the coming Windows XP Service Pack 2. The software
giant has 
spent the last few months talking up the coming IE
security 
improvements but the slow response to patching
well-known 
-- and sometimes "critical" -- browser holes isn't
sitting well with 
security experts.
On discussion lists and message boards, security
researchers have 
spent a lot of time beating the "Dump IE" drum, and
the US-CERT 
notice is sure to lend credibility to the movement
away from the 
world's most popular browser.
US-CERT is a non-profit partnership between the
Department of
 Homeland Security (DHS) and the public and private
sectors. 
It was established in September 2003 to improve
computer security
 preparedness and response to cyber attacks in the
United States. 
It has been more than two weeks since Microsoft
confirmed the existence
 on an "extremely critical" IE bug, which was being
used to load adware/spyware and malware on PCs without
user intervention but, 
even though the company hinted it would go outside its
monthly 
security update cycle to issue a fix, the flaw remains
unpatched.
US-CERT researchers say the IE browser does not
adequately 
validate the security context of a frame that has been
redirected 
by a Web server. It opens the door for an attacker to
exploit the 
flaw by executing script in different security
domains. 
"By causing script to be evaluated in the Local
Machine Zone, 
the attacker could execute arbitrary code with the
privileges of 
the user running IE," according to the advisory.
"Functional exploit code is publicly available, and
there are reports 
of incidents involving this vulnerability."
To protect against the flaw, IE users are urged to
disable Active 
scripting and ActiveX controls in the Internet Zone
(or any zone 
used by an attacker). Other temporary workarounds
include the 
application of the Outlook e-mail security update; the
use of 
plain-text e-mails and the use of anti-virus software.
Surfers must also get into the habit of not clicking
on unsolicited 
URLs from e-mail, instant messages, Web forums or
internet 
relay chat (IRC) sessions. 


saludos
Juanma

------------
Internet gratis ¡y que funciona!
Tres nuevas ciudades con números locales: 
Escobar, Zárate y Campana
Yahoo! Conexión
http://ar.online.yahoo.com
¿Qué esperas para navegar bien y a bajo costo?