Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)
TechWeb ^ | July 2, 2004 | Gregg Keizer

Posted on 07/03/2004 9:46:15 PM PDT by Eagle9

As if to prove the point that security is like the Dutch boy at the dike, Microsoft on Friday released a stop-gap fix for one of several vulnerabilities that have plagued its Internet Explorer just as a security firm warned that virtually every browser -- not just IE -- can be spoofed by hackers.

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object within the operating system's Data Access Components (DAC).

Last week, an innovative attack launched by a Russian hacker group from previously-infected Microsoft Internet Information Services (IIS) servers compromised a large number of PCs with identity- and financial information-thieving Trojan horses and key loggers. The attack exploited a pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had not been patched by Microsoft.

While the Russian Web site that hosted the malicious code -- which was surreptitiously downloaded to the compromised computers -- was taken down last Friday to remove the immediate danger, Microsoft has still not released a patch. The ADODB disabler is meant only as a temporary fix, said Microsoft, until it can permanently fix IE.

“In addition to this configuration change, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections,” said Microsoft in a statement. Microsoft did not offer up a timeline for any future IE patches, saying only that “a comprehensive update will be released once it has been thoroughly tested.”

The update to disable ADODB should be downloaded and installed by all users of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft said. It's available on the Windows Download site, or via the Windows Update

service. Windows XP Service Pack 2 (SP2), which is expected to release in final form this summer, is not susceptible to the ADODB vulnerability.

Friday's update is one of the few pieces of good news IE users have heard in the last week.

After a rash of exploits against IE vulnerabilities -- including the Web attack of last week, password-stealing Trojans, and a new way for hackers to spoof, or fake, Web sites -- some security analysts questioned whether Internet Explorer was safe enough to use.

Even the U.S. Computer Emergency Response Team (US-CERT), part of the federal government's Department of Homeland Security, recommended that users consider ditching IE for an alternate such as Mozilla or Opera.

“We're recommending one of two things,” said Thomas Kristensen, the chief technology officer at Danish security firm Secunia. “Either use Internet Explorer under very restricted security settings -- which may not be possible for all companies -- or install a different browser.”

Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”

The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.

“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.


TOPICS: Business/Economy; Front Page News; Technical
KEYWORDS: browser; getamac; ie; internetexploiter; lowqualitycrap; microsoft; patch; security; securityflaw; technology; vulnerability; vulnerable; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 61-8081-100101-120 ... 201-207 next last
To: Eagle9
Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Actually there is a choice in I.E. That notifies you when this is attempted. This is cool, because it tells you when a site is doing something spicious without disabling the function, just in case their might be a legitimate use for it. In any case, it's nice to know when evil is being attempted.

81 posted on 07/04/2004 6:31:12 AM PDT by js1138 (In a minute there is time, for decisions and revisions which a minute will reverse. J Forbes Kerry)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
I'm getting a little tired...

Seek help. You really need it.

82 posted on 07/04/2004 6:32:13 AM PDT by TechJunkYard (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 52 | View Replies]

To: FL_engineer

Thanks, but I don't use Microsoft products. I'm a sworn Apple user and Safari is my browser.


83 posted on 07/04/2004 6:39:19 AM PDT by mass55th
[ Post Reply | Private Reply | To 67 | View Replies]

To: Eagle9

bump


84 posted on 07/04/2004 6:40:26 AM PDT by VOA
[ Post Reply | Private Reply | To 1 | View Replies]

To: FL_engineer
I installed Mozilla Firefox (as you suggested)
& have been using it ever since
I like it very much

thanks for the ping
85 posted on 07/04/2004 6:49:54 AM PDT by firewalk
[ Post Reply | Private Reply | To 67 | View Replies]

To: Bush2000

Hmm. MY browser is not vulnerable.


86 posted on 07/04/2004 6:55:10 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Eagle9

read


87 posted on 07/04/2004 7:03:11 AM PDT by mlbford2 (Sorry for spelling errors, I'm a product of a state university)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FL_engineer

I abandoned IE last week after the second time I had to spend 3 hours searching out and removing spyware.


88 posted on 07/04/2004 7:16:49 AM PDT by Blood of Tyrants (Even if the government took all your earnings, you wouldn't be, in its eyes, a slave.)
[ Post Reply | Private Reply | To 67 | View Replies]

To: Eagle9

Same here, fully updated IE on fully updated XP still vulnerable. Firefox is safe.


89 posted on 07/04/2004 7:39:46 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
See, cretins? Don't say you weren't warned.

My browser doesn't have this flaw.

90 posted on 07/04/2004 7:45:43 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 35 | View Replies]

To: FL_engineer

Thanks for the ping.

My new SBC/Yahoo DSL downloaded the updates/patches in seconds. Then my computer installed them in about a minute.

I shut down and restarted my computer to come back to Free Republic. All was done in less than 3 minutes.


91 posted on 07/04/2004 8:00:53 AM PDT by Grampa Dave (Salute the 4th, Free Republic, and Jim Rob, become a monthly donor to Free Republic!)
[ Post Reply | Private Reply | To 67 | View Replies]

To: Eagle9

I'm safe. All my money is buried in the backyard.


92 posted on 07/04/2004 8:03:17 AM PDT by LibWhacker
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sir_Ed

When I tried it with their "trusted" site it showed the problem. When I went to my own trusted site (a local bank), my browser didn't have a problem. Hum........


93 posted on 07/04/2004 8:21:08 AM PDT by Auntie Mame ("Whether you think you can or think you can't -- you are right." Henry Ford)
[ Post Reply | Private Reply | To 58 | View Replies]

To: Bush2000

"See, cretins? Don't say you weren't warned."

Hmmm, some of us cretins have been running the Mozilla strains for quite a while and haven't been affected. On the other hand, I am about to go delouse one of my Win 200 servers. Somehow my Freebsd box just keeps tooling along FOR YEARS without problems, and it sits bare naked outside my firewall.


94 posted on 07/04/2004 8:32:07 AM PDT by FastCoyote
[ Post Reply | Private Reply | To 35 | View Replies]

To: Bush2000

Mozilla Firefox 0.9.1--the latest version--does not have this vulnerability. In contrast, even when patched, Internet Explorer has this vulnerability.


95 posted on 07/04/2004 8:35:20 AM PDT by Terpfen (Re-elect Bush; kill terrorists now, fix Medicare later.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: FL_engineer

Thanks.

It should be pointed out the root of this is not so much IE browsers as much as (per the article) previously infected servers, if I read that right.

I will stick with IE. If a server is compromised by a hacker, then they can target any browser where there's an opportunity to exploit a problem.

The fact that IE is targeted in this one does not by default mean Mozilla or any other is immune to exploits.


96 posted on 07/04/2004 8:40:35 AM PDT by RedBloodedAmerican
[ Post Reply | Private Reply | To 67 | View Replies]

To: Swordmaker
I've been using Camino of late:

http://www.mozilla.org/projects/camino/

There is also a Firefox for the Mac:

http://www.mozilla.org/products/firefox/

but I have not tried it.

Camino seems to run well enough and does not exhibit the Frame Injection Vulnerability.

If you test Camino and finds that it fails (Secunia), then please do let me know.

Thanks.

97 posted on 07/04/2004 8:56:09 AM PDT by First_Salute (May God save our democratic-republican government, from a government by judiciary.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: FL_engineer

The MS critical update worked for my PC. Had to restart the service (or reboot) though.


98 posted on 07/04/2004 8:56:28 AM PDT by RedBloodedAmerican
[ Post Reply | Private Reply | To 67 | View Replies]

To: Swordmaker

BTW, I also use iCab; in fact, it is my preferred browser for the Mac. Latest version is 2.9.8.


99 posted on 07/04/2004 9:21:59 AM PDT by First_Salute (May God save our democratic-republican government, from a government by judiciary.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: snopercod
I am reminded of *The Poseidon Adventure.*

When the ship was upside down, and the rescuers cut a hole in the hull?

It finally occurred to me, that instead of Gene Hackman et al, coming out of that hole, there should have been a waterspout. Si?!

100 posted on 07/04/2004 9:27:50 AM PDT by First_Salute (May God save our democratic-republican government, from a government by judiciary.)
[ Post Reply | Private Reply | To 96 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 61-8081-100101-120 ... 201-207 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson