Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

TechWeb ^ | July 2, 2004 | Gregg Keizer

[Eagle9]

As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).

Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.

While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.

“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”

The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update

service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.

Friday's update is one of the few pieces of good news IE users have heard in the last week.

After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.

Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.

“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”

Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”

The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.

“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.

[Ernest_at_the_Beach]

I think it does work though in Firefox 8 on Linux...

[Ernest_at_the_Beach]

Just tested again, looks like Firefox .8 has the problem running on Linux.

[AnimalLover]

Thanks for posting this important information. I have just finished installing a crital patch from Microsoft.

Here's hoping!

[freedom moose]

i have a MAC and use Safari. It failed the test. I guess there'll be an update soon. Anyone have any suggestions on what to do in the meantime?

[freedom moose]

While Secunia DID successfully inject its content onto the page, the return to the page did not replicate that injection
i guess that's what happened to me too then. so maybe i don't have to worry. please explain what replicating the injection means. thanks

[DreadCthulhu]

Firefox is available for the Mac, and the latest version doesn't have this flaw. Try that for now. And the latest Windows Update DOES NOT fix this bug in IE. I just updated earlier & IE failed the test. Just a warning for people.

[Future Useless Eater]

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object

FYI, the Internet Storm Center tested this latest Microsoft/IE 'fix' and found it inadequate to stop hackers...

"...even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction."

A related suggestion was distributed by security experts this week that could ALSO be of interest. They reiterate an MS security note (Microsoft Knowledge Base Article 833633) concerning the "Local Machine zone"...

For those of you that don't mind tinkering under the hood" of your computer such as to tighten ALL the security settings in every zone with: Control Panel --> Internet Options --> Security
MS announced a FIFTH security zone NOT shown in that tool with suggestions of tightening things THERE as well...
The control panel tool shows only these four zones:

• Trusted sites
• Local intranet
• Internet
• Restricted sites

The 5th (even higher level) zone is known as "Local Machine zone", and the MS article suggested it may be helpful for the security conscious, in some cases to even strengthen some security settings there.

"a malicious user may try to take advantage of the power of the Local Machine zone to elevate their permissions and to run arbitrary code on your computer."

Those zone settings can only be tweaked using the registry editor (regedit), and the changes do the following for the Local Machine zone:

• Disables ActiveX Controls and plug-ins
• Disables Active scripting
• Disables data sources across domains
• Disables Java

If any of you say "you no longer use IE", be aware that a Windows computer STILL HAS SEVERAL OTHER programs that venture out on the internet and can be at risk (Windows Media Player) for example. Shutting off these vulnerabilities helps security in those OTHER programs as well.

With the latest sophistication of trojans, worms, and virus, I recommend tightening EVERY security zone (there is practically no such thing as a 'trusted site' anymore, and even the 'Local intranet' zone is commonly corrupted).
Then install a non-MS browser and emailer if you haven't already.

[Musket]

bump for later.

[Just mythoughts]

Thanks.

This never ends.

[backhoe]

Appreciate the info. I'm still cleaning garbage out of my machine.

[Byron_the_Aussie]

...if you read his thread, you'll be able to get rid of CoolWebSearch...

Thanks, champ. However I finally managed to get rid of it last week, with Spy Sweeper. I had a terrific dream, that night- I was the Ultimate Techie, hunting hackers on the Net, wrecking their homepages, terrorising their forums, posting accounts of my exploits on my blog. And- receiving millions in Paypal donations, from long-suffering IE users. :) Cheers, By

[TechJunkYard]

Netscape 4.77 under Red Hat 7.3 is NOT vulnerable.

[Dominic Harr]

I'm getting a little tired of their continual lies.

ooooh, it really burns you that Mozilla and Firefox have already fixed this "design flaw", doesn't it?

Bottom line -- once again, the open-source tool is safe while the proprietary one is not.

MS is to software what McDonalds is to food. You eat what you like, tho . . .

[ovrtaxt]

Using Mozilla 1.7. I passed, do I get a gold star?

[SeeRushToldU_So]

I am using FireFox. I switched a couple of weeks ago at the suggestoin of some Freepers.

So far I like it.

[1234]

Hey, what about Win 95 w/IE 5.5? TX

[Vinnie]

I'm in IE right now. Got an auto -update from MS yesterday.

IE failed the test.

Tried my usual browser, Mozilla 1.7. Passed

[B Knotts]

This is an odd article. It talks about the IE ADODB vulnerability, and then goes on to an entirely different implementation problem, shared by some other browsers, which is not as serious, in an apparent attempt to downplay the problems with IE.

Note to everyone: this is not the same as the big problem the other day.

[lainde]

BTTT

[Liberal Classic]

Swordmaker: Bush, it IS possible to comment on this without insulting anyone.

Bush2000: Stay out of it.

Too much coffee, Bob?

;)