Posted on 07/03/2004 9:46:15 PM PDT by Eagle9
As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.
The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).
Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.
While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.
“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”
The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update
service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.
Friday's update is one of the few pieces of good news IE users have heard in the last week.
After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.
Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.
“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”
The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
That did the trick...........Thanks again !!
Stay safe !!
Anyway, what do I care - I use Firefox ;)
My pleasure ;)
Thanks for clearing that up. I used the "Prompt" option so I'll be abe to see if this ever actually becomes an issue. By the way, I don't see where Microsoft is to blame if IE already has the built in option to turn off this suspicious "navigating."
Thanks for the post. I was running Mozilla 1.1, didn't know it was that old and it was vulnerable so I downloaded v1.7 and that solved the problem.
Yeah. You could certainly make a case that the default setting is too lax, but at least the setting is there and accessible in order to prevent this from happening, and I'm not at all sure that that much is true for other browsers...
This is a browser problem. Firewalls and virus scanners have nothing to do with this problem and won't fix it.
Interestingly, IE failed the test but iRider passed using IE as its rendering engine...
Have you heard of CWShredder? Sorry if this is a dumb question from a non-system admin.
Thanks, it worked for me, too.
You ever hear of A2 squared scanner ? Seems to be a pretty good malware scanner.
But the latest versions of Mozilla & Firefox have this problem fixed; but Internet Explorer is still vunerable - I ran Windows Update 20 minutes ago, and IE still failed that security test.
Anyone know of a good way of updating a version of Mozilla and getting all the mail files and other such prefference to transfer automaticaly. The last time I tried to udate a Mozilla broswer I had to follow all kinds of wierd procedures and copy all the files manualy...and delete some mail files and have them re-created...ect...The biggest pain in the butt I ever saw. With Netscape 4.x all you had to do was transfer your whole profile from one to the other and it was done. This is a real step in the wrong direction for Mozilla IHMO. They should have a way to import an entire profile in one move. I see that you can import somethings...You can import mail from non Mozilla sources, but not from another copy Mozilla...even if it is the same version.(As in transfer from one computer to another) Now that is pathetic. So what is the best way to update from say v1.6 to version 1.7? I know they even want you un-install the old version first. Thanks
If you are using windows 98 then Microsoft offers no fix for this via auto update....or the last big security problem either....Even though it obvioulsy has nothing to do with what version of windows you are using. It is simply defective browswer software.
BUMP!
I've got a Mac, and that page spoofed itself into a MS page, using IE!
I'll try Safari next...
Ed
Wow...that spoof works with Safari, too!
Weird...I openmed and then watched the test MS page, clicked on the Secunidia link, and voila, the frame from them spoofed itself into the MS page!
I hope Mac comes up with a way to stop that...
Ed
AND Safari!
Ed
You are actually calling us cretins because we buy Macintoshes???
What the heck is wrong with you??
Cretin is hardly a word to apply to fellow Freepers who simply choose to buy another OS than the one you use.
Ed
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.