Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

TechWeb ^ | July 2, 2004 | Gregg Keizer

[Eagle9]

As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).

Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.

While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.

“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”

The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update

service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.

Friday's update is one of the few pieces of good news IE users have heard in the last week.

After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.

Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.

“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”

Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”

The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.

“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.

[ThePythonicCow]

How do we know that "checking" our browser is safe?

Well, the thing that the last link in this post was checking was whether one web site could pretend to be another, and fake you out into giving up, say, your bank account login or credit card to a bad guy.

Since you don't particularly trust this checking website, you are in good shape - I am sure you would have refused to offer up any personal information to whatever pages came up.

Only if you had been deluded into thinking it was really some web site you trusted would you have been at risk of giving it personal information.

Though, as someone else noted in another post above, this entire article is a bit confused -- it is mixing two different problems.

• One, that the first part of the article focuses on, is only Microsoft Internet Explorer related - it could secretly download bad software from what looked to you to be a perfectly fine web page. Then that bad software, now running in your PC, would steal information, without your ever noticing (until you noticed your bank account short of funds)
• The second, which that last quick test link in the article was testing, was whether your browser would allow one web site to lie to you, telling you it was another web site, and con you into entering information that you would not normally give, except to a site you trusted. It is this link that you can safely try - since you aren't about to be fooled, at least this time.

[Byron_the_Aussie]

Appreciate it, Eagle.

We've had Bill Gates out here this week, meeting with our Prime Minister. And all week I've been battling IE problems- the Byte.Verify trojan, Bloodhound, and CoolWebSearch. And I must have thought, at least ten times, 'go home, Gates. Just go home, and fix up the holes in your product.'

[Redbob]

"Mozilla 1.7 under Windows does not seem to be vulnerable."<

Some things are worse even than being hacked...

[Swordmaker]

ALERT This vulnerability is in Microsoft Internet Explorer v.5.2.x for the Mac, too!

Sorry, First_Salute, but I just tested the exploit on Secunia's site with my Apple Macintosh G5. both with Safari and Internet Explorer 5.2.3, and the exploit did not work on either.

While Secunia DID successfully inject its content onto the page, the return to the page did not replicate that injection

[LTCJ]

Internet Explorer failed. Firefox passed.

I had been using Firebird (v0.7 ?) - it failed. Just "upgraded" to Firefox - OK now.

[mean lunch lady]

Thanks for the alert. I will have my computer expert, my son, check this out. I appreciate the heads up.

[First_Salute]

The exploit is working on Microsoft Internet Explorer 5.2.x for the Mac, as stated.

[Swordmaker]

Sorry, First_Salute, but I just tested the exploit on Secunia's site with my Apple Macintosh G5. both with Safari and Internet Explorer 5.2.3, and the exploit did not work on either.

Perhaps I was too quick and their explanation of the exploit is a bit vague. The Secunia insert DID get inserted into the window... but the window on the Mac version comes to the front and you see the change being made.

Using that criteria Safari, IE 5.2.3 AND Netscape 7.1 are all vulnerable.

Damn!

[Swordmaker]

see Reply 28. I spoke too soon.

[FairOpinion]

I have Norton, I even downloaded the fix from Microsoft, and when I did the test, it showed my browser is vulnerable.

Apparently Norton is spoofed too, it thinks that the new site is part of the trusted site.

So how to I protect myself, anybody has any specific suggestions?

[Hawkeye's Girl]

Well, the spoof doesn't work in Firefox 0.9.1, which I just downloaded after IE 6 got fooled.

[Swordmaker]

Freeper First_Salute has pinged me to this site which has an announcement that is important to all Macintosh users! Actually, it is important to all browser users regardless of platform!

MAC PING!!!! IMPORTANT!!!

IF you want to be added or dropped from the Mac Ping List, please Freepmail me.

Thanks, First _Salute!

[Squantos]

Well I downloaded the update last night from MS , restarted the puter and this "test" still seems to show I'm vulnerable based on their "test" ?

I'm running Norton Pro, Spybot & Blaster, Ad-Aware, AVG and Zone alarm pro all up to date with latest and greatest..... ???

Suggestions ? I know buy a Mac or go with mozilla.......:o)

[Dont Mention the War]

Perhaps I was too quick and their explanation of the exploit is a bit vague. The Secunia insert DID get inserted into the window... but the window on the Mac version comes to the front and you see the change being made.

I just had the same thing happen in Camino 0.8. Secunia specifically names Mac browsers as being affected.

Multiple Browsers Frame Injection Vulnerability

Secunia Advisory: SA11978

TITLE:
Multiple Browsers Frame Injection Vulnerability

SECUNIA ADVISORY ID:
SA11978

RELEASE DATE:
2004-07-01

LAST UPDATE:
2004-07-02

VERIFY ADVISORY:
http://secunia.com/advisories/11978/

CRITICAL:
Moderately critical

WHERE:
From remote

IMPACT:
Spoofing

SOFTWARE:
Internet Explorer 5.x for Mac
Konqueror 3.x
Mozilla 0.x
Mozilla 1.0
Mozilla 1.1
Mozilla 1.2
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5
Mozilla 1.6
Mozilla Firefox 0.x
Netscape 6.x
Netscape 7.x
Opera 5.x
Opera 6.x
Opera 7.x
Safari 1.x

DESCRIPTION:
A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.

Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g. a trusted site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

The vulnerability has been confirmed in the following browsers:
* Opera 7.51 for Windows
* Opera 7.50 for Linux
* Mozilla 1.6 for Windows
* Mozilla 1.6 for Linux
* Mozilla Firebird 0.7 for Linux
* Mozilla Firefox 0.8 for Windows
* Netscape 7.1 for Windows
* Internet Explorer for Mac 5.2.3
* Safari 1.2.2
* Konqueror 3.1-15redhat

Other versions may also be affected.

The vulnerability also affects Internet Explorer:
SA11966


SOLUTION:
Do not browse untrusted sites while browsing trusted sites.

The following browsers are not affected:
* Mozilla Firefox 0.9 and later
* Mozilla 1.7


REPORTED BY CREDITS:
Reported in Mozilla browser by:
Gary McKay


CHANGELOG:
2004-07-02: Updated solution.


OTHER REFERENCES:
SA11966:
http://secunia.com/advisories/11966/

Secunia Advisory: SA11978

[Bush2000]

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

See, cretins? Don't say you weren't warned.

[Swordmaker]

Bush, it IS possible to comment on this without insulting anyone.

Why not give it a try...

Before you get your self another time-out from FR.

[general_re]

Well I downloaded the update last night from MS , restarted the puter and this "test" still seems to show I'm vulnerable based on their "test" ?

Well, it's two different things in question here. This test apparently exploits a new problem, different from the one that the latest MS patch fixes. You can either switch to a non-vulnerable browser, such as Firefox, or you can tweak your settings in IE to not allow such things. Go to Tools -> Internet Options -> Security, highlight the Internet zone, and select "Custom Level". Scroll down until you find the setting that says "Navigate sub-frames across different domains" and select "disable" - hit "Okay", and back out. Re-run the test, and it'll no longer work.

If you tend to visit websites that (legitimately) rely on multiple domains for different frames, this may have the side-effect of not allowing such websites to load properly. That's not especially common, so I don't think it's likely that you'll have any real problems with changing the setting, but try it out and see if it breaks any sites you usually use.

[Swordmaker]

Here is the answer until the publishers of our browsers fix the problem (which will probably make the internet experience a little less convenient).

SOLUTION:

Do not browse untrusted sites while browsing trusted sites.

The following browsers are not affected:
* Mozilla Firefox 0.9 and later
* Mozilla 1.7

Simply use only ONE window when you need to use a secure site.

[Squantos]

THANKS !!...........Stay Safe !

[Eagle9]

We've had Bill Gates out here this week, meeting with our Prime Minister. And all week I've been battling IE problems- the Byte.Verify trojan, Bloodhound, and CoolWebSearch. And I must have thought, at least ten times, 'go home, Gates. Just go home, and fix up the holes in your product.'

A FReeper named Long Cut posted a thread on 6/05/2004 with exact instructions and links to software he used to get rid of CoolWebSearch. Numerous FReepers gave him helpful advice and links. I think if you read his thread, you'll be able to get rid of CoolWebSearch and probably the others you mentioned. Here's a link to the thread.

HIJACK!(No, Not THAT Kind!)