MS IIS & IE Out-of-Cycle Security Patch Coming Next Week
Results 1 to 4 of 4

Thread: MS IIS & IE Out-of-Cycle Security Patch Coming Next Week

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    MS IIS & IE Out-of-Cycle Security Patch Coming Next Week

    Anyone else see this? MS is planning to release a patch next week to fix the flaw that allowed the Download.Ject malware attack. This will be for IIS and IE.

    Guess that zero day vulnerability and associated pressure woke MS up on this one...assuming the patch WORKS that is! I was hoping MS would get this out sooner rather than later.

    http://www.internetnews.com/security...le.php/3387301

    Microsoft (Quote, Chart) plans to release an out-of-cycle security patch next week to fix a software flaw that led to the sophisticated Download.Ject malware attack, company officials disclosed on Wednesday.

    The company will release the patch, which is currently being tested, next week as a "critical" security update to provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack.

    Dean Hachamovitch, Microsoft group product manager for Internet Explorer, made the announcement, saying the patch would cover IE versions 5.01, 5.5 and 6.0.

    The software giant has already released a Trojan detection and removal tool to help PC users clean up after the attack, which targeted well-known software flaws to install keystroke loggers and other malicious code on infected systems.

    The 118 kilobyte removal tool is programmed to remove the payload delivered by the server-side Download.Ject Trojan. The Trojan, also known as Scob, exploited vulnerabilities in Microsoft's IIS 5.0 servers and IE to distribute malware programs. It started spreading late last month after unknown attackers uploaded a small file with JavaScript to infected Web sites running Microsoft IIS 5.0 servers.

    A user visiting an infected site with IE automatically became infected with the JavaScript, which triggered a download from a Russian Web site. The download included Trojan horse programs like keystroke loggers, proxy servers and other back doors providing full access to the infected system.

    In addition to the Trojan detection and removal tool, Microsoft issued a slew of Windows configuration changes aimed at thwarting the Download.Ject attack. Hachamovitch said that those changes did not provide a complete fix to the core vulnerability.

    "Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Hachamovitch said.

    Microsoft is also testing a clean-up tool for the latest mutant of the MyDoom virus that started squirming through major search engines earlier this week. The virus has been programmed to launch of distributed Denial of Service attacks against the Microsoft.com home page.

    When it's released, the tool will be available for download here.
    http://informationweek.com/story/sho...cleID=26100723
    http://www.eweek.com/article2/0,1759,1628662,00.asp

  2. #2
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Exclamation IE Patch Released - MS04-025!

    The patch has been released already! And on a Friday no less, thanks M$.

    http://www.microsoft.com/technet/se...n/MS04-025.mspx

  3. #3
    Banned
    Join Date
    Jun 2003
    Posts
    1,302
    haha, that is funny. If I remember correctly, I thought M$ had a kind of rule to release all of there updates on Wednesday, because it usually caused widespread BS, when they didn't.

    Wow ric-o I guess your going to be staying a bit late at work today, along with a bit of other people.

  4. #4
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by whizkid2300
    haha, that is funny. If I remember correctly, I thought M$ had a kind of rule to release all of there updates on Wednesday, because it usually caused widespread BS, when they didn't.

    Wow ric-o I guess your going to be staying a bit late at work today, along with a bit of other people.
    At M$ rules can be...and many times ARE broken! And what's REALLY scary about this is that they originally were going to release this early on next Tuesday as it was but came out with it even quicker probably because of the exploits found "in the wild".

    Sorry for the crabbiness but between CheckPoint releasing their bulletin yesterday at 4pm ET and M$ doing it today (Friday no less) at 2pm...these damn vendors have been keeping me and my team BUSY late afternoons into the evenings!

    There should be a law that says vulnerability bulletins cannot be released on Fridays or after 4pm ET (of biased of that timezone I know)!!!!

    Something interesting about this patch... in SUS it has a date of 7/23/04. So does that mean they have had it ready since last Friday and took this long to release it? Interesting....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •