Posted on 07/03/2004 9:46:15 PM PDT by Eagle9
As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.
The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).
Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.
While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.
“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”
The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update
service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.
Friday's update is one of the few pieces of good news IE users have heard in the last week.
After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.
Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.
“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”
The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Websites have fingerprints. Not as anonymous as a spoofed email.
Ping to check from home.
Bump for later....
Sorry for the delay. Here ya go:
Thanks. I just tested my Netscape browser and it failed, too. I have gone to Mozilla.
hahahahhahahaha. it must get real tiring trying to defend the indefensible (crap microsoft software).
Take my word for it...IE has always been BAD!!! When you are talking about the people who just go all over the internet and pay no attention to security it is a real nightmare. I know people like this....The ones using Netscape never have a problem...The ones using IE have there computers get so loaded with spyware that they come to a screeching halt. In one case I ran Adaware for a women that uses IE and refuses to use anything else. There were over 500 cases of spyware on her computer. There were at least 20 running process of it. Another women...never uses IE...goes all over the internet with netscape and ends up with nothing more than cookies. I rarely use IE...once when I did...I also ended up with that coolweb search on my computer. IT really is bad news from a security standpoint.
Sorry, I was misunderstanding their instructions... my bad. You DO have to worry.
No... there would have been high pressure air surging out until all the air escaped or a new equilibrium was reached.
I believe he was suspended for just such insults... I don't know how long the suspension was.
Thank you, Bush. I agree. Secunia has a propensity to announce unexploited security issues. As I pointed out earlier, the safest way to use a secure site is NOT to have anyother windows open while you use it. If you don't go to a malicious site WHILE you have the secure site open, it cannot be hijacked.
See, I knew you could do it.
I feel so left out. We never get to play in any reindeer games.
</sarcasm>
Folks! Hold it. Stop.
If there is one thing we have learned on this thread, it is that this problem is NOT Microsoft's problem alone. It is a conceptual problem in the design of FRAMES in which content from exterior websites can be injected into a frame. This has been utilized in such websites and services as Ask Jeeves where a found link is opened in a Jeeves website page in a frame.
In all fairness, since this problem exists in Netscape, early Mozilla programs, Safari on the Mac, and many other browsers that have never seen the inside of Microsoft programers heads, we cannot solely blame Microsoft.
Blame the hackers who WILL exploit this unexpected consequence of a useful feature of Hypertext Markup Language that will now be less useful.
Just took the plunge...picked up a 17 inch iMac on Friday with 768 MB Memory...about ready to put the Sony Vaio Digital Studio P4 out by the curb for the Quarterly Bulk Trash pickup!!
Very well said.
Another point that needs to be made is that Secunia could accomplish this proof of concept (and scaring the bejeebers out of a lot of web users) ONLY BECAUSE they knew that a specific page from Microsoft with a specific Frame was open on your computer. Because of this SPECIAL knowledge, it was easy to inject their malicious code onto that page. This is a setup.
Consider the real world situation... To have this exploit cause a problem for any particular user, they would have to opened a page with frames on a site in which they would be planning to type in sensitive data... and THEN they would have to navigate to a malicious site that is prepared, in advance, to inject a spoofed page into the frame exactly replicating the page you expected for THAT particular website (out of thousands of possibilities) and THEN have you return to that page to insert your sensitive data...
Why we would all do that... every day..., Right. Sure.
Welcome to the Mac world, Lael. You won't regret it.
Don't just toss that Sony... give it to some deserving business so they can hire me to fix it every week... ;^)
Oh come now, don't disseminate so...you know exactly who you were talking to--us Mac users.
If you're going to call people cretins, at least have the courage of your convictions to come out and say it, or stop being so rude to people who are like you in all beliefs except one, that Macs are better for their computer needs!
Ed
http://www.theregister.co.uk/2004/07/05/ie_vuln/
IE workaround a non-starter
By John Leyden
Published Monday 5th July 2004 10:40 GMT
Doubts have been raised about the effectiveness of a workaround issued by Microsoft to guard against a potentially devastating vulnerability in IE. Left unchecked the flaw creates a means for hackers to turn popular websites into conduits for viral transmission.
On 24 June many websites running Microsoft's IIS 5 Web server software were infected with malicious JavaScript code called Download.Ject. If IE users visited websites hosting Download.Ject their PCs attempted to download a virus from a Russian website. This website was quickly shut down, but the incident illustrated serious security shortcomings with IE and prompted security clearing house US-CERT to advise users to ditch IE in favour of alternative browsers.
Last Friday, Microsoft rolled out configuration changes to the Windows XP, Windows Server 2003 and Windows 2000 designed to protect against the Download.Ject attack as a workaround prior to the availability of patches. But postings to the insecure.org full disclosure mailing list over the weekend provide evidence that a slightly modified exploit can still yield full system compromise even on systems that have applied the workaround.
Users are advised to disable Active Scripting, except for trusted websites, as a precaution, until Microsoft comes out with a fix. Alternative browsers such as Mozilla, Opera or Netscape - which are not subject to this IE-specific attack - remain a much safer option. ®
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I like FireFox so far.
bump
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.