Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

TechWeb ^ | July 2, 2004 | Gregg Keizer

[Eagle9]

As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).

Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.

While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.

“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”

The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update

service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.

Friday's update is one of the few pieces of good news IE users have heard in the last week.

After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.

Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.

“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”

Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”

The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.

“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.

[windchime]

Bump!

[solitas]

No problems with Mozilla 1.7 on MacOS 10.3.3 either.
However, IE5.2 'lifted it's skirt' as soon as I clicked Secunia's second link.

[Old Professer]

I put in Spy Sweeper and it got rid of that belt.exe junk but Norton still says there is an undeletable set of four files that Spy Sweeper doesn't see.

Pretty soon, half of my 160GB HD will be all spyware/adware killers.

[Squantos]

Sad ain't it......

My system has: Zone Alarm, AVG, Ad-Aware, Spybot, Spyware blaster, and A2 Squared scanner along with norton pro. I run em all on autopilot at 3 or 4am in sequence . They auto update and are pretty easy to use for me as I lack expertise in fighting these virus's and malware/spyware thangs !

Real happy that FR has some experts in the arena !

Thanks ...Stay safe !

[zeugma]

I've always hated frames, and now I have yet another reason to do so. I use frames on exactly 2 sets of pages on my website because it makes a lot of sense in the context. Most sites that use frames are merely attempting to make their site more sticky, and in doing so, make many aspects of navigating much more annoying. Perhaps this attack will make sites that use frames rethink their design. I can only hope so.

[savedbygrace]

The Microsoft (WinXP) fix seems to correct the problem, at least on my WinXP box. Downloaded and installed this morning. Even though IE6 failed the Secunia test yesterday, it passed with flying colors after the MS fix.

[general_re]

...give it to some deserving business...

Pfft. Drop me a line - I'll give you an address you can send it to, postage due if you like, so it doesn't cost you a penny...

[antiRepublicrat]

Anyone know of a good way of updating a version of Mozilla and getting all the mail files and other such prefference to transfer automaticaly.

Deleting the browser doesn't delete your stuff. So, you can delete Mozilla, reinstall, and all your stuff's still there and working. But I agree with you on the need for a smooth import of a saved profile where there was no Mozilla on the machine before (like in a rebuild).

[antiRepublicrat]

BTW, they're getting there. Installing Firefox on a machine with Mozilla will pull all of your Mozilla stuff over, including any saved passwords, etc. Thunderbird for mail is a bit more difficult if you want a clean port.

[TenthAmendmentChampion]

Thanks for the link... interesting! And the writer is correct... the feds want to equalize the variation among the states, instead of recognizing it as a strength that one state can run its affairs in one way and another in a different way, and letting the inhabitants choose to stay, or move, as prompted by the effects. People are flooding here to Arizona from California because of the overbearing liberal government there. That's the way things should work. I hope California realizes it in time, though...

[Publius6961]

or stop being so rude to people who are like you in all beliefs except one, that Macs are better for their computer needs!

No problem.
Just have the girlie men and perverts enjoy their cute little machines and ask them to stay the hell out.

See? No problem.

[SeaDragon]

A must read..........

[Sir_Ed]

"Just have the girlie men and perverts enjoy their cute little machines and ask them to stay the hell out."

Only problem is...I'm not a girly man, nor a pervert, and my Mac is far more powerful than the word "cute" begins to describe.

What is it about Mac users that bring out such bitter, loathing, hatred from other Freepers?

I don't get it...do Ford owners, or Toyota owners, get the same level of denigration that Mac owners are subjected to?

Ed

[ShadowAce]

What is it about Mac users that bring out such bitter, loathing, hatred from other Freepers?

Don't sweat it. Windows users are running scared that their precious little OS is on its way out. As a result, they're spitting in every direction they can to try and prevent it.

If you have the right attitude, it can be pretty entertaining at times. :)

[VOA]

bump for publicity

[glorgau]

Whenever you hear the phrase "frames are evil", this is an example of how the phrase arose.

[Bush2000]

Oh come now, don't disseminate so...you know exactly who you were talking to--us Mac users.

Uh, no, Ed. I really wasn't. But if it makes you feel better to think so, go right ahead.

[Bush2000]

If there is one thing we have learned on this thread, it is that this problem is NOT Microsoft's problem alone. It is a conceptual problem in the design of FRAMES in which content from exterior websites can be injected into a frame. This has been utilized in such websites and services as Ask Jeeves where a found link is opened in a Jeeves website page in a frame.

I can't believe that I find myself agreeing with you. ;-p

In all fairness, since this problem exists in Netscape, early Mozilla programs, Safari on the Mac, and many other browsers that have never seen the inside of Microsoft programers heads, we cannot solely blame Microsoft.

Well, you certainly can blame Microsoft. But there's plenty of blame to go around with other browser developers, too.

Blame the hackers who WILL exploit this unexpected consequence of a useful feature of Hypertext Markup Language that will now be less useful.

An all-too-rare sentiment.

[Cloud William]

Bump for later reading.

[skr]

Thanks for the ping. Needed the info!