Posted on 07/03/2004 9:46:15 PM PDT by Eagle9
As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.
The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).
Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.
While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.
“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”
The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update
service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.
Friday's update is one of the few pieces of good news IE users have heard in the last week.
After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.
Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.
“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”
The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Thanks
Netscape 7.0 failed on my Mac OS 9 system
I did the upgrade, Critical Update for ADODB.stream (KB870669) shut down my computer, restarted it and I am still was still vulnerable. Was that wrong upgrade?
Now, I just need to go back and read your instructions again ... no, I can do that later. I'm just gonna shutdown the computer, enjoy the day, and come back tonight or tomorrow. Again, thank you.
_________________________________________________________________
To everyone else: I posted this article for informative purposes only, and am not a technical expert. If you have technical questions, I can only suggest that you ask any those FReepers on this thread that are giving advice.
I normally use Safari as my primary browser, but I use Firefox a lot, as my secondary browser. The only reason that I use Safari as my primary browser is because of it's lightning speed in loading complex pages. I'll just switch around for a few weeks. In fact, if 0.9.1 continues to be as good as it looks, I may not switch back.
Microsloth's attention to security has always been so poor that the only reason that I even have Internet Exploder on my computer, is for testing the appearance and functionality web pages that I have just produced and even then, I close the app immediately after testing.
Netscape used to be a very fine browser, but Firefox has left them in the dust. Camino and Opera are promising, but they still have a long way to go.
For now, FIREFOX RULES!
http://channels.lockergnome.com/news/archives/20040615_why_you_should_dump_internet_explorer.phtml
I do the same thing with IE. I like FireFox 0.9.1.
Thank you, I did not expect tech support just thought I would ask in case you knew. Thanks again.
Thanks!
Your advice in post #37 worked, at least against the test site!
It's a few years old, but still applies.
Now back to your regularly scheduled thread.
Mozilla Firebird fails.
Got a link for an update site?
Big thanks from me and the IE browser. Any suggestions for NS v7.1?
It doesn't seem to have all those options at either Tools or Edit > Preferences, as IE does.
"... Incompetent Explorer ..."
I seem to Incontinent Explorer on the office machine.
Mozilla Firefox passes.
g :0)
Iuse Netscape 7.1 and though I can't seem to get logged on my Netscape account right now it still don't give me the problems that IE does.
My, my, Bush 2000 does have an attitudinal problem, doesn't he? Was he once suspended and recently reinstated or something?
Unfortunately, I haven't used NS since 6.2, and I honestly don't remember if there's a user-accessible setting for this - I don't think there is - so the only advice I can give is the not-very-helpful "switch"... ;)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.