| A slew of denial-of-service flaws seem to be cropping up lately, or maybe it’s just that I’ve been finding a lot of them. |
I’ll start off this week’s column by talking about a flaw that affects multiple Web browsers, including both Firefox and Internet Explorer.
Many browsers are vulnerable to ‘marquee tags’
Several browsers can be crashed by hackers, forcing your PC to consume a large amount of CPU resources. This vulnerability is due to the way in which certain browsers handle nested marquee tags. A hacker could exploit this flaw by tricking a user into loading a Web page that’s designed this way.
This flaw has been confirmed in Mozilla Firefox 220.127.116.11, Microsoft Internet Explorer 6.x (on multiple versions of Windows), Flock beta 1 0.7, and all versions of Opera. Information suggests that other versions of these browsers may also be affected.
What to do: Considering how many browsers are affected by this flaw, the old advice about not visiting Web sites that you don’t trust comes to mind. But we all know that this alone won’t protect you. The best thing you can do is to make sure that you are using Brian’s Security Baseline, if you aren’t already. If you’re using Firefox, I highly recommend using the NoScript add-on. This allows you to disable scripting and selectively enable it only on Web sites that you trust.
More Information: CVE-2006-6956, CVE-2006-6955, CVE-2006-2723, SecurityFocus, ISS
Windows Mobile devices can be crashed
Trend Micro recently discovered two flaws in the Windows Mobile OS. These problems allow a hacker to run a Denial of Service (DoS) attack against mobile devices, with a little help from the user.
The first flaw involves Windows Mobile’s "Pictures and Video" application. This can cause a mobile device to hang for several minutes if it tries to load a hacked JPEG file.