Enterprise Newsletter
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO Blogs and Discussion
 CIO Web 2.0
 CIO Leader
 CIO Enterprise
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships

July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)

We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.

Secrets of Successful Vendor Contract Negotiations for the Mid-Market

Sept. 10, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)

On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.

Executive Competencies Assessment Tool

Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
News
 

After 'treasure Hunt,' Hacker Releases IE Attack Code

One week after hiding Internet Explorer attack code on his Web site, security researcher Aviv Raff has posted details on how to launch the attack.

 

By Robert McMillan

May 15, 2008 — IDG News Service —

One week after hiding Internet Explorer attack code on his Web site, security researcher Aviv Raff has posted details on how to launch the attack.

The bug lies in the "Print Table of Links" feature, which lets IE users print out a Web page along with a list of all the links on the page tacked onto the end. Raff discovered that if an attacker added special scripting code to a Web page, he could then run unauthorized software on the PCs of IE users who printed using this feature.

The flaw affects IE 7 and IE 8, Raff said. Security vendor Secunia said that the bug also affects IE 6.

Because the hack requires that the user be tricked into following so many steps -- not only visiting a Web page, but then printing a page with this feature selected -- Secunia has rated it as a "less critical."

Raff said that the flaw could be a more serious issue if hackers were to add the code to Web pages that were frequently printed out, such as those on Wikipedia.

The bug has not been patched by Microsoft, which was notified of the issue just last week.

Raff disclosed the flaw in an unusual way, embedding it in his own Web site and then inviting other hackers to come and find it. He called this a "treasure hunt."

The Israeli hacker said that the treasure hunt idea came from a local custom of playing such games during Israel's Independence Day. The contest was won Tuesday by someone calling himself "George the Greek."

Microsoft didn't get much time to fix the vulnerability, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.

When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said.

Microsoft is thinking about putting a fix for the problem in an upcoming security update, the company said in a statement. It too downplayed the risk. "Our investigation has shown an attack would require significant user interaction," the company said. " An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful."

Though Raff's attack code has been posted to the Millworm Web site, Microsoft says it's not heard of any attacks that exploit this vulnerability.

Copyright © 2008 IDG News Service. All rights reserved. IDG News Service is a trademark of International Data Group, Inc.
 
 
Loading...
 
WHITE PAPERS

Global Change in the TV Industry

Capgemini and MediaXchange have captured key insight to the change across the TV industry.
 

The Gartner Magic Quadrant for IT PPM Applications

This report evaluates 19 vendors on their ability to execute and completeness of vision.
 

A Bottleneck-free Infrastructure

Storage bottlenecks have a significant impact on performance and productivity.
 

Investing in Business Analytics Technology

Find the answers to your questions about business anyalytics initiatives.
 

Document-Sharing Solutions

Examine the benefits and challenges that IT executives are facing and how they plan to control the changes.
 

How Can Your Organization Weather This Economic Storm?

IT executives are under intense pressure to cut costs, and that pressure is significantly increased by the current grim economic outlook.
 

WEBCASTS

Managing Client Systems in the Enterprise

Keeping client systems costs under control is just one of the many initiatives IT must address when trying to manag...
 

Webcast with Dan Vesset: Investing in Business Analytics Technology

What exactly is business analytics and why should you care? Dan Vesset of IDC and Gaurav Verma of SAS answer this a...
 

Enterprise Cloud Computing: Ready for Primetime?

The progression toward enterprise cloud computing is happening today, as industry leaders deploy technologies that ...
 

Preparing Your Business Services for the Future

Would you trust your network monitoring tools enough to know when something is truly halting a business service? Wh...
 

Enterprise System Management Challenges in Big Organizations with Eli Almog

In this Podcast with Eli Almog, Corporate Architect in BMC's CTO Office, discusses how IT managers can know when it...
 

A Down-to-Earth look at Cloud Computing

Is cloud computing going to take over the data center as we know it? Join us as we talk about cloud computing with...
 

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Using Open Source to Deploy Web Applications

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

White Paper: 8 Key Ingredients to Building an Internal Cloud

Software Executives: Take Control of Your Organization's Code Quality

BPM ROI calculator

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Craft a Strategy to Lower Your Total Cost of Ownership

A Natural User Interface for Enterprise Applications

On-Demand HR for a Global Organization

Four steps to populate your CMDB.

Delivering Secure and Reliable Data through Spreadsheet Automation

Open Source BI: Inexpensive Solutions for Developers

Gartner Shares Predictions for 2009

Reduce risk, gain agility. See how Progress can help your business.

Improve ROI, lower TCO and reduce energy consumption.

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Revolutionizing Enterprise Application Deployment

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Top-line Performance that's Bottom-line Efficient

How Open Source is Changing the Face of Enterprise Software

BPM Survey Results: The Real-World Analysis

Ready to Act: 3 Recommendations for Agile Processes

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Next Generation Enterprise Applications

A Truly Global HCM System

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

Financial Institutions Need Rich Internet Applicatons

Forrester: Implementing Rich Internet Applications

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

64-page prescriptive guide to security, compliance, and IT operations.

Get Google Enterprise Search for your business information.

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Insight makes it easy to spend your Microsoft subsidy check.

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk