Posted on 07/03/2004 9:46:15 PM PDT by Eagle9
As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.
The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).
Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.
While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.
“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”
The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update
service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.
Friday's update is one of the few pieces of good news IE users have heard in the last week.
After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.
Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.
“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”
The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Dang it man, I downloaded the patch from Microsoft last night myself and I still failed the test. I think I'll download Firefox and see what happens.
I think you're right; the menus aren't as deep and detailed as IEs or MSs usual offerings. But the GUI is so nice and the v7.1 is as fast or faster than IE, at least on my machines.
Thanks again for the assist of IE, g_r.
Oh, yeah - you're welcome ;)
Run the test again in post #1. You may need to manually set the security option outlined in post 1.
My IE 6 passed...I don't know why yours didn't.
Do this manually:
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.
why didn't MS just fix it this way???
It's a useful option. You might as well ask why you should buy an expensive car, since it only attracts thieves. Please not that the problem includes all versions of Netscape and Opera. At one time the internet community thought this was a useful and desirable feature. So now it attracts evildoers, and we are supposed to blame the victims?
No complaints here! I'm just wondering hy they don't tell MSIE users to use this feature instead of devising some patch...
I installed the upgrade on two home machines. on one the setting changed automatically. On the other I had to set it manually. To be fair. the second machine has never been quite right since it was overrun by viruses last year. (I wasn't using a scanner, and my wife belongs to lots of newsgroups.) There may also be more to the patch than I know about.
You are actually calling us cretins because we buy Macintoshes???
I wouldn't worry too much about what Bush2000 says. Nobody else does.
I think that he (she) either works for Microsoft or is one of those MSXX certification types who hasn't figured out that he (she) owes his (her) livelihood to the fact that Microsoft produces garbage software. Either way, it severely damages his (her) credibility on such issues.
I have made a very good living for quite a number of years, largely due to the fact that Microsoft has created such a huge market for people like me to come in and fix problems that would have never occurred in software produced by a good software company. For that reason, I really like Microsoft. If they were to start making good software, a lot of people like me would have to start actually working for a living.
But, it's because my time is so valuable and I therefore don't have time to fight Microsoft problems on my own computer, that I use Macs, for my own business and home computing. After all, every hour that I might have to spend fixing problems on my own computer, would be an hour that I couldn't bill to a client. I'm not trying to get people to switch to Macs. I will, however, admit to the vice of having a bit of pride, in being one of the relatively few people who has the sense to recognize a superior computing platform, in spite of the massive propaganda from Microsoft.
I just let what Bush2000 says, roll off my back, since he (she) is obviously a Microsoft bigot (for whatever reasons) and probably just feels a natural desire to preserve his (her) pride by slamming those who he (she) realizes, know that his (her) pride has no real foundation, in fact. I can't really blame him (her) for doing something that I might well do, if I had bought into the Microsoft propaganda and were stuck using a WinTel box.
It seems that Netscape 4.77 (circa 1999) did NOT have the frames vulnerability and that matches my recollection of how frames worked back then. But when IE came out with the OPPOSITE settings as a default, some of the other (newer) browsers apparently felt they had to follow suit or else they wouldn't be compatible with greenhorn website developers that ONLY developed and tested things with an IE browser.
Thank you! That works.
I assume there times that I would want that this enabled or is this (the ability to navigate sub-frames across different domains) something that, while useful, is too easily exploitable by evildoers?
http://texturizer.net/firefox/download.html
Firefox is what used to be Firebird, but they ran into another trademark problem and had to change the name again. Before Firebird, it was Phoenix. But, under any name, it has always been a very good browser. The release of 0.8 and the more recent 0.9.1 marks the move from being a very good browser, to a really fine browser.
Apparently this "feature" was a bad idea and should be disabled by default.
By my understanding, a lot of DRM these days is predicated upon the ability to embed code within a protected digital content file; under Microsoft's Palladium architecture, such embedded code would be encrypted (most likely with a one-way encryption algorithm so that companies could encrypt code that would run on others' machines without being able to decrypt others' code). Does anyone know if this is how things would work?
If so, can anyone spell "virus heaven"?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.