Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES - April 27, 2006

by Donna Buenaventura / April 27, 2006 1:37 AM PDT

Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information

Affected Software: Microsoft Internet Explorer 6.x

codedreamer has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

Secunia has constructed a test, which is available at:
http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution: Disable active scripting support.

http://secunia.com/advisories/19738/

Discussion is locked
You are posting a reply to: VULNERABILITIES - April 27, 2006
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES - April 27, 2006
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Denial of service in HP StorageWorks Secure Path for Windows
by Marianna Schmudlach / April 27, 2006 2:22 AM PDT

- Denial of service in HP StorageWorks Secure Path for Windows -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, April 27 2006 - HP has reported a vulnerability in HP StorageWorks Secure Path for Windows. The company has not offered information about the problem, and all that is known is that it lies in the HP StorageWorks Secure Path 4 for Windows agent, potentially allowing a remote attacker to crash the service.

HP has provided an update under the name Secure Path for Windows v4.0C-SP2, available at: http://h20000.www2.hp.com/bizsupport/TechSupport/ProductRoot.jsp

To download this update, select the option "Download Drivers and Software", find "HP StorageWorks Secure Path for Windows" in "Search products", choose "HP StorageWorks Secure Path for Windows" from the list of results, choose an operating system from the list, and finally, select "Recommended Patch - Secure Path for Windows v4.0C-SP2", to download the patch.

The original HP advisory is available at:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=c00642089

Collapse -
Marianna(or Other): Does This Hole & Patch Only Apply To...
by tobeach / April 29, 2006 4:29 PM PDT

Servers, corporate or any other. Not to, say, laptops?
Spent an hour chasing this patch 'til this idea dawned on me(Duh!):D

Collapse -
Marianna is gone for a few days and
by roddy32 / April 29, 2006 9:25 PM PDT

I don't have time to chase the links for you. I would imagine that if you have HP Storage Works, then you should follow the links and apply the patch for your operating system. If you don't have HP Storage Works then I would not worry about it.

Collapse -
Donna, I had to enable active scripting
by tom4561 / April 27, 2006 9:50 AM PDT

Tried to take the solution advice and disable, but my Hotmail account and this Cnet login account stopped working when I disabled active scripting. I'm afraid to take the vulnerability test in your message for fear I'll pick up a virus. Any thoughts? Tom.

Collapse -
Tom, it is ONLY a TEST - nothing can happen.
by Marianna Schmudlach / April 27, 2006 9:57 AM PDT

my FF is not vulnerable Wink

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.