http://www.networkworld.com/community/blog/ie-flaw-could-allow-hackers-a ccess-your-faceb?source=NWWNLE_nlt_security_2011-05-27
Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into." /My Slant on the situation.. Honestly, visiting a malicious website is about as easy is getting re-directed from a supposed known Good site, due any number of web application vulnerabilities ( XSS, malicious iframes come to mind). And given if the user is already getting re-directed or hits the bad site, there is no telling what they might be tricked into doing. I do agree there might not be a high likely-hood that the site that the attack stole the cookie from is the same site that the user is currently logged into, but if the attacker did steal the cookie ( abeit credentials and otherwise) and replayed them to the sites they belong, it possibly could allow that attack to impersonate the legitimate user and do any number of things. Heads up gang, might be seeing a security advisory on this soon enough, Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 e ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
