Read up on the latest ideas and technologies from companies that sell hardware, software and services. Email Archiving Implementation: Five Costly Mistakes to Avoid
Cutting printer costs
Email Archiving Technical Overview
Taking On Demand CRM Integration to the Next Level
Revolutionising Back-up and Recovery
Strategies for Eliminating .PST Files
Why Security SaaS Makes Sense Today
Mimosa™ NearPoint™ for Microsoft® Exchange Server: Email Archiving 101
Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
A flaw in the way Microsoft's Internet Explorer browser processes FTP commands could let attackers steal or erase data from a victim's FTP site.
The bug, which affects users of IE 6 and the unsupported IE 5 browser, gives an attacker a way of hijacking the victim's FTP sessions. But a successful attack would be very hard to pull off and would only work in very precise, targeted attacks, security experts said.
The attacker would need to know the victim's username on the FTP server and the victim would have to already be logged into the server, using IE. Under those conditions, the victim could be sent a malicious FTP link that would then execute commands on the victim's FTP server.
This link could be sent to the browser via an invisible iFrame component, hidden on a malicious Web site, so the victim might not even know the attack was taking place.
"It's something that people could use to steal data, but you'd have to know your target," said Derek Abdine, the principal software engineer with security vendor Rapid7, who disclosed the issue Monday in a security advisory.
"The attack seems viable, but the stars have to be aligned just right for the attack to work," said Craig Schmugar, a researcher with McAfee's Avert Labs, in an e-mail. "An administrator would need to be authenticated already or the server would need to be configured with weak credentials."
Rapid7 notified Microsoft of the issue on Jan. 22 and decided to publish proof-of-concept code that illustrated the flaw after Microsoft had not patched the issue a month later.
The flaw is "almost exactly the same" as another IE FTP flaw that Microsoft patched in August 2006, Abdine said. Microsoft fixed that bug with its MS06-042 patch, issued in August 2006.
The MS06-042 update fixed many IE vulnerabilities, but it ended up embarrassing Microsoft. That's because the security patch had a flaw of its own, a critical security vulnerability that sent Microsoft's security team scrambling to re-issue the update.
The FTP problem does not affect IE 7, Microsoft said Tuesday. The software vendor has not heard of any attacks that take advantage of this vulnerability and has determined that any successful attack would only lead to the unauthorized disclosure of data, the company said in a statement.
Computerworld Member Login
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
NetStar Networks Calls Brisbane Home 2008-10-13 12:01:00+10
New Verizon Business Managed Service Makes Collaboration Easier 2008-10-13 10:06:00+10
F-Secure achieves excellent results in Internet security suite comparison 2008-10-10 14:37:00+10
M2M Connectivity announces the new Sierra Wireless MC8792V embedded module for 900 MHz 3G/HSPA networks 2008-10-10 08:51:00+10
Pitney Bowes MapInfo Launches New Version of AnySite 2008-10-10 05:58:00+10
Delivering the Power of Choice with Microsoft Dynamics CRM
Join Ed Thompson, Research VP, featured analyst firm, Gartner, Inc., and Brad Wilson, General Manager CRM Microsoft Dynamics, for a new webcast, Delivering the Power of Choice with Microsoft Dynamics CRM, available now. Our panel will break down the best practices for getting the most out of CRM and you’ll learn key recommendations you can implement in your organization. Additionally, you’ll also hear Microsoft’s vision for CRM.
