Recent Internet Explorer Patch Failed To Fix Security Hole

InternetWeek ^ | September 29, 2003 | Gregg Keizer

[HAL9000]

A patch issued last month for a critical vulnerability in Microsoft's Internet Explorer Web browser leaves any user surfing the Web open to a wide variety of attacks, a security analyst said Monday.

The problem stems from August 20 when Microsoft released patches for Internet Explorer 5.01, 5.5, 6.0, and version 6.0 for Windows Server 2003 that it said would fix an Object Type vulnerability, which could allow an attacker to run malicious code on a PC if the user navigated to the attacker's Web site. The original patch can be downloaded using Microsoft's WindowUpdate Service, or from the Microsoft TechNet Web site.

But the patch doesn't seem to be patching.

"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile Web site when using vulnerable versions of Internet Explorer," said Ken Dunham, the malicious code intelligence manager for Reston, Va.-based iDefense.

A Microsoft Web page detailing the original Internet Explorer vulnerability it said that teams were investigating reports of new variations on the original flaw. As of publication time, Microsoft had not returned a call asking for comment.

However, according to sources outside of Microsoft, attackers are exploiting this vulnerability in a number of ways. Postings on the Bugtraq security e-mail list tell of one method where the attacker hijacks running AOL Instant Messenger (AIM) accounts, changes the password, and sends a message to the user's buddy list with a link to the malicious Web page.

Other attacks that exploit the undiscovered flaws in Internet Explorer, include one that entices users to porn Web sites, where code is downloaded that dials 900 numbers, racking up hundreds in charges without the user's knowledge. Another uses pop-up adds to drive users to pay-per-click Web sites, said Drew Copley, a research engineer at Aliso Viejo, Calif.-based eEye Digital Security, who discovered the original security vulnerability.

"In one sense, these are new bugs in IE," said Copley, "but in another sense they're not. Microsoft had more than three months to fix these, but they didn't." Copley said he originally notified Microsoft of the flaws in IE in mid-May.

"This is pretty scary stuff," said Dunham. "Any type of code could be deployed in this type of attack."

What's new here, said Dunham, is the vector used by attackers to plant their code on machines. While Trojan horse authors have used other methods to infect computers--worms that arrive in e-mail attachments, for instance, and attackers' ongoing exploits of the Microsoft Windows' RPC DCOM vulnerabilities--this route is more insidious.

"It used to be true that you couldn't get infected just by surfing the Internet," said Dunham. "But we're not talking about opening an attachment here. It doesn't matter if you've patched Internet Explorer. All you have to do is surf to one of these malicious sites, and boom, you're infected."

Saying that attackers have a "leg up on us at the moment," Dunham said that this zero-day vulnerability--so-called because the exploit is available, but a patch is not--poses a threat to anyone who uses relatively recent versions of Internet Explorer.

Users should consider disabling ActiveX controls and plug-ins in Internet Explorer until a revised patch is available, urged Dunham, and/or configure the browser to block ActiveX controls on untrusted sites. Microsoft has outlined workarounds that users can take to block ActiveX controls until a patch is re-released. They can be found in the original vulnerability's security bulletin under the Workarounds section of Frequently Asked Questions.

An alternate strategy would be to switch to another browser, such as Mozilla or Opera, which isn't affected by the vulnerability, said Dunham.

"Internet Explorer is one of the most common software applications targeted," Dunham said in suggesting that companies concerned about security consider switching browsers.

[Cicero]

This would seem to be an argument for using Gibson Research's DCOMbobulator. Some Freepers were complaining about it on a thread a couple of days ago, but I haven't had the least problem with it.

[sigSEGV]

DCOMBobulator has nothing to do with this.

[Eric in the Ozarks]

Or Zone Alarm.

[DefCon]

Microsoft assures users that a patch for the patch should be available soon...

[sigSEGV]

Another thread, another rant. Zone Alarm does not prevent these types of attacks.

[toupsie]

Does this affect Mac OS X? Oh wait, that's a silly question...

God bless Microsoft, they keep me employed.

[HAL9000]

Microsoft Windows -

More Patch Than Tube

[Eric in the Ozarks]

The ZA bottled up one of those fake 'microsoft' messages. I'm pleased with it so far.

[Salo]

Welllll...at least i don't have to patch anything. Until the patch's patch comes out. :-P

[Salo]

Pinging the Penguin Pinger

[Salo]

hal, do you think the Chinese will help MS patch this now? ;-)

[stainlessbanner]

bump

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[Petronski]

I wanted penguified, I hollahed, and you came through. Thanks.

P.S. There's a long list of sophomore-level questions in your private inbox. No rush for answers, but I know I'm consulting the right source. Peace.

[Petronski]

Bwa ha ha ha ha ha! Good one.

[Coral Snake]

They CERTAINLY DO, refering to the words on the front of the box.

Guns, Linux and Liberty. ;c)

[Coral Snake]

Welcome to Penguinland. What did you finally get for the old laptop?

Guns, Linux and Liberty. ;c)

[Petronski]

The hard drive came in today, and I believe I will try Mandrake first. I like SuSE best, but my favorite browser, Mozilla, can only display chunky sawtooth fonts on SuSE 8.2, and as far as I can tell, there's no good way around this.

Any help?

[Petronski]

When I say I prefer SuSE, I of course mean to say SuSE/KDE.