jump to navigation

Microsoft Insecure Explorer 2008-12-17

Posted by clype in Articles of Interest.
Tags: , , , , , , , , , ,
trackback

Users of ‘Microsoft’s’ ‘Internet Explorer’ web Browser are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in ‘Internet Explorer’ could allow criminals to take control of people’s computers and steal their passwords, Internet experts say.

‘Microsoft’ urged people to be vigilant while it investigated and prepared an emergency ‘patch’ to resolve it.

‘MICROSOFT’ SECURITY ADVICE

  • Change IE security settings to high (Look under Tools/Internet Options)
  • Switch to a Windows user account with limited rights to change a PC’s settings
  • With IE7 or 8 on Vista turn on Protected Mode
  • Ensure your PC is updated
  • Keep anti-virus and anti-spyware software up to date

‘Internet Explorer’ is used by the majority of the world’s computer users.

‘Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer’, said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the ‘underlying vulnerability’ was present in all versions of the browser.

  • Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.

‘In this case, hackers found the hole before Microsoft did’, said The Senior Security Advisor at ‘Trend Micro’, Mr. Rick Ferguson.

‘This is never a good thing’.

As many as 10 000 websites have been compromised since the vulnerability was discovered, he said.

‘What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals’ he said.

‘It’s just a question of modifying the payload the trojan installs.

‘If users can find an alternative browser, then that’s good mitigation against the threat’.

But ‘Microsoft’ counselled against taking such action. The Head of The Windows group at  ‘Microsoft UK’, Mr.John Curran said:

‘We’re trying to get this resolved as soon as possible.

‘At present, this exploit only seems to affect 0.02% of internet sites.

‘In terms of vulnerability, it only seems to be affecting IE7 users at the moment, but could well encompass other versions in time.

‘I cannot recommend people switch due to this one flaw’.

Mr.Richard Cox, The Chief Information Officer of anti-spam body ‘The Spamhaus Project’ and an expert on privacy and cyber security, echoed the warning from ‘Trend Micro’.

‘It won’t be long before someone reverse engineers this exploit for more fraudulent purposes. “Trend Mico’s” advice [of switching to an alternative web browser] is very sensible’.

Mr. Darien Graham-Smith, The Security Editor of ‘PC Pro magazine’ said that there was a virtual ‘arms race’ going on, with hackers always on the look out for new vulnerabilities.

‘It’s a shame “Microsoft” have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it.

‘The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn’t enough.’

‘Every browser is susceptible to vulnerabilities from time to time. It’s fine to say “don’t use Internet Explorer” for now, but other browsers may well find themselves in a similar situation.’

Microsoft will rush out an emergency fix for its Internet Explorer (IE) software after the discovery of a flaw which allows hackers to take over PCs.

The company says it will release a patch for the web browser today, rather than waiting for its regular security update next month.

The flaw was discovered last week and attacks are ‘spreading like wildfire’, according to software security firm ‘Trend Micro’.

The company’s Senior Security Adviser Mr.Rik Ferguson said

‘It’s a flaw that affects every version of Explorer on all versions of Windows.

‘The main problem is that there isn’t a patch available, so it is very widespread.’

Mr.Ferguson explained that many cyber criminals operate by using malware — software that is installed on people’s computers without them knowing.

The software can then run in the background and connect to servers elsewhere, giving it the potential to detect and then pass on confidential information.

He explained that many pieces of malware are ‘injected’ onto websites across the world, often by cybercriminals who install them by using sign-up forms or other methods of interacting with a website.

The malware then runs a piece of Javascript that can detect when the site is being accessed on Explorer, and it then activates and downloads the malicious software.

‘Trend Micro’ believes as many as 10 000 sites have already been compromised, though Mr.Ferguson said it is impossible to know how many might have been hit.

  • His advice is to switch to another browser until the patch is released, as the malicious code only activates when it detects Explorer.

‘Microsoft’ has rejected this advice and instead recommends putting security settings at high and turning ‘Vista’ onto ‘protected’ mode.

Mr.Ferguson said:

‘All of their solutions are going to make browsing less attractive, less interactive and a lot less normal.’

Head of Microsoft Windows commercial business group in the UK, Mr.John Curran said:

‘Obviously when you are talking about a customer base of over one billion people, any amount of vulnerability is too much and any type of infection is going to see a large number of people affected by it.’

He added the flaw was primarily being exploited in China, where it has been used to steal passwords from gamers.

‘Microsoft’ today released an out-of-band security update (meaning the company deemed the flaw severe enough not to wait for next month’s Patch Tuesday) for ‘Internet Explorer’. The update, which addresses a remote code execution vulnerability and is rated as ‘Critical’ for all supported versions of IE, is available via both ‘Windows Update’ and ‘Microsoft Update’. Here is the official description, according to the security bulletin:

‘The vulnerability could allow remote code execution if a user views a specially crafted Web page using “Internet Explorer”.

‘Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

‘This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7.’

Note: IE8 testers should check Microsoft Connect for build 8.0.6001.18344, which includes this fix.

The security update fixes the problem by modifying the way ‘Internet Explorer’ validates data binding parameters and handles the error that results in the exploitable condition.

This flaw was subject to much media coverage after security advisers recommended that IE users use alternative browsers while waiting for ‘Microsoft’ to release a fix. If you’re interested in more detailed information on the flaw, check out KB 960714.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: