Internet Explorer Warning!

[Steve Machol]

If you are currently using Internet Explorer for web browsing, you need to be aware that there is a very serious unpatched security issue that puts your computer and data at risk. Here are a cpouple of articles about this vunerability:

http://www.theregister.co.uk/2004/06/28/ie_is_complex/
http://www.theregister.co.uk/2004/06...hits_websites/

Since there is no patch available from Microsoft yet, the only safe thing you can do is to use an alternate browser, such as FireFox or Opera:

http://www.mozilla.org/products/firefox/
http://www.opera.com/

[hcjilson]

Or Safari.....if you have a Mac! :_ hj

sorry, couldn't resist! I'll be good from now on!

[Sean]

Or Safari.....if you have a Mac! :_ hj

sorry, couldn't resist! I'll be good from now on!

O.k just you do that.....:) For the other 99% i would take take heed to Steve's post.If using another browser is not an option...then i would make these first steps a priority........;)

Block external access at the network boundary, unless service is required by external parties.
If the affected application is not required to be globally accessible it is recommended that access to vulnerable computers be restricted to trusted hosts and networks.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
This may indicate exploitation attempts or activity that results from successful exploitation.

In short with out the above cautions in place do not go to a unknown/trusted webpage/site.:(

[Steve Machol]

I have heard that even images posted on a forum that originate from an affected server can infect your PC. If for whatever reason you cannot stop using IE, then make sure you disable all Active X scripting.

[keithbenjamin]

In case you're wondering how to disable ActiveX scripting...

it's under tools|internet options|security|custom level

[Sean]

Or Safari.....if you have a Mac! :_ hj

sorry, couldn't resist! I'll be good from now on!

Every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
It's not a code vulnerability but a design flaw.

[hcjilson]

Hey Sean, I'm in Virginia now but I'll be talking to you first thing on
tuesday. Is there a way to check to see if Safari is affected? later hj

[Sean]

Hey Sean, I'm in Virginia now but I'll be talking to you first thing on
tuesday. Is there a way to check to see if Safari is affected? later hj

Sure is........try the link below.;)


Vulnerability Test

[Steve Machol]

By the way, MS has finally patched this. Do a Windows Update to install the critical patch. I just checked it against the link Sean posted and the patch does stop this exploit.

[Sean]

By the way, MS has finally patched this. Do a Windows Update to install the critical patch. I just checked it against the link Sean posted and the patch does stop this exploit.

The update, which is tagged as "Critical," isn't a patch per se, but rather a change to Windows that disables the ADODB stream object within the operating system's Data Access Components (DAC).
The ADODB disabler is meant only as a temporary fix.I hope the SP2 patch goes 10 steps better with plugging these holes. BTW .....as an extra precaution...... Internet Explorer users can try to stymie such spoofing attacks by disabling the "Navigate sub-frames across different domains" setting under Tools/Internet Options/Security. Any other questions about this ............please feel free to ask. I'll be glad to help.

[Sean]

Microsoft Patch Leaves Holes Open
Wilbert de Vries and Paul Roberts, WebWereld Netherlands

Microsoft's effort last week to fix a vulnerability in the Internet Explorer Web browser and end the latest series of Internet attacks doesn't address another closely related and dangerous vulnerability, according to a security specialist.

Dutch security expert Jelmer Kuperus published code on the Web last week that he says can be used to break into fully patched Windows systems using a slightly modified version of an attack called Download.Ject that Microsoft patched last week. The new attack targets a hole in a different Windows component than the one addressed by Microsoft's software patch. Using a similar attack, malicious hackers could break into even patched Windows machines, Kuperus says.

Microsoft confirms that the company is aware of the exploit code, but does not believe any customers have been attacked using the Shell.Application exploit, a spokesperson says.

Update Available

Microsoft last week introduced a security update for Internet Explorer 6.0 to end the threat of Download.Ject. The update disables a Windows component called ADODB.Stream, which was allegedly being used by a Russian criminal gang called the Hangup Team to install malicious code on computers.


By attacking a different Windows ActiveX component called Shell.Application, hackers can load malicious code onto machines.


The attack relies on a vulnerability in Shell.Application discovered and disclosed in January by a security expert known by the online handle "http-equiv," Kuperus says.

To prove his point, Kuperus posted a copy of attack code that targets the Shell.Application component on a Web site he maintains. Web surfers that use Windows XP (news - web sites) with IE and visit the page are confronted with a screen that freezes Windows. According to Kuperus this example is harmless, but the exploit could be used in the same way the group of Russian criminals exploited the ADODB.Stream vulnerability in a series of attacks in June.

Kuperus joined the expert known as http-equiv to create computer code that demonstrated the Shell.Application vulnerability. After the attacks in June, the two anticipated the patch issued by Microsoft would not be comprehensive and began writing a new exploit before Microsoft actually plugged the ADODB.Stream vulnerability.


A few hours after Microsoft issued its update last week, Kuperus posted the new exploit on his site.


"We discovered that by simply switching components, the exploit is back in business," Kuperus says.


Microsoft acknowledges that the Shell.Application has similar capabilities to the ADODB.Stream component. However, it does not yet have configuration changes to address the vulnerability, as it did with ADODB.Stream, a spokesperson says.


The Redmond, Washington software company is investigating the issue and is planning a series of updates to IE in the coming weeks that will provide additional security for its customers, she says.

[Sean]

Theres now a total of 7 updates that Microsoft deems critical. The patch numbers MS04-018 through MS04-024 are now available. Go and get 'em :)

[Sean]

Microsoft has issued a special cumulative patch for its Internet Explorer browser, addressing three new security holes rated "critical," including one that was used in a virus attack in July.

Patches rated "critical" mean that not installing the patch may lead to catastrophic damage to a PC because an attack could give a hacker complete control of that system, including the capability to reformat the hard drive.
Ordinarily, Microsoft saves up patches for a monthly release, to make it easier for customers and IT staffs. However, when the company rates a security flaw "critical," it often releases the patch as soon it's ready, the better to protect users.
All of the patches issued to date are also built into the forthcoming final release of Windows XP Service Pack 2.
Users of the current release candidate are already safer than those with the shipping copy of the browser.
That's because Microsoft's IE developers have reengineered part of the browser so SP2 does not contain security weaknesses that were part of IE's original design.
Besides the fix for the "cross-domain vulnerability," the latest cumulative patch also contains fixes for two other security flaws that Microsoft rates as "critical" on its four-tier severity rating scale. These two other patches fix holes in the way that IE processes and displays two leading graphics formats, BMP and GIF files. Go and get it.:)