Results 1 to 7 of 7

Thread: Deja-vu flaw? "Security hole digs into Microsoft"

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005

    Deja-vu flaw? "Security hole digs into Microsoft"

    Man - this one seems familiar - new or is USAToday just not up to date, or I need more caffeine:

    Posted 3/30/2006 10:09 PM

    Security hole digs into Microsoft

    By Byron Acohido, USA TODAY
    SEATTLE — For the second time this year, Microsoft is scrambling to fix a critical security hole in its Internet Explorer Web browser, a flaw cybercrooks found and have already begun to exploit.

    The flaw allows intruders to seize control of the PCs of anyone visiting corrupted websites. Thursday, cybercrooks stepped up their weeklong assault by releasing e-mail spam that entices victims to visit such websites, says Dan Hubbard, research director at tech security firm Websense.

    Spam recipients are asked to click on links to news stories about the U.S. dollar vs. other currencies. After clicking on the link, the user's PC freezes up for 30 seconds or so, as the website installs a software program that captures online bank account log-ins, then sends the log-ins back to cybercrooks. "You've really got to be confident about the website you're visiting," Hubbard says.

    Microsoft security chief Stephen Toulouse downplays the threat. "We're not seeing a lot of attempts to exploit this," he says. Even so, Microsoft recommends turning off IE's "active scripting" function until an official patch is ready.

    Instructions are at support.microsoft.com/security.

    The larger issue: Microsoft is being forced for the second time in three months to deal with a feared phenomena in tech security: a vulnerability for which no patch exists, known as a "zero-day" threat.

    In December, cybercrooks moved quickly to exploit a similar Internet Explorer flaw, hijacking hundreds of thousands of PCs before Microsoft made a patch available. The emergence of zero-day threats has raised complex dilemmas for the world's largest software maker.

    Among them:

    • Timing of patches. Microsoft issues security fixes on the second Tuesday of the month. The company plans to issue a patch April 11, the next scheduled release date.

    It needs that time to make sure the patch works in 23 languages and doesn't interfere with applications tied into the browser, Toulouse says.

    Meanwhile, tech security companies eEye and Determina this week made temporary patches available for free. Microsoft says it can't vouch for the third-party patches.

    Still, eEye founder Marc Maiffret contends Microsoft's monthly patch cycle "isn't good enough to protect customers from zero-day threats."

    • Widening attacks. As tech suppliers push more home-entertainment and workplace tools online, they are opening virgin territory for cybercrooks.

    Zero-day threats lurk anywhere a PC user supplies data to online software applications such as browsers, e-mail or instant-messaging services and music or video players. Crooks are becoming adept at supplying data that tricks the application into giving up control of the PC.

    "None of this activity would be visible to an infected user," says Charles Renert, research director at Determina.
    The MS site has nothing specific, unless I missed it, about this particular threat - as stated previously, besides the mention of the Decemeber issue, this seems familiar for some reason. It did have this on the website for help for those who need it:

    No-Charge Support
    This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

    For phone numbers outside of the U.S. and Canada, select your region.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    That sounds similar to what SANS is reporting here:
    Microsoft Altering ActiveX in Next Set of Patches
    Published: 2006-03-30,
    Last Updated: 2006-03-30 21:46:03 UTC by Ed Skoudis (Version: 1)

    We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio. According to Microsoft:

    "So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

    That's not the end of the world, but it is worth noting.

    What does this mean to you? On April 11, some of your ActiveX controls may stop working. You can test this new IE voodoo by downloading an optional patch for IE from Windows Update. Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

    For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory , and read this blog posting from a Microsoft employee working this issue. The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

    UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw. I agree. I don't like to see them together either. Consider your complaint on that registered with the ISC, not that we can do anything about it.
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War


  3. #3
    Senior Member Spekter1080's Avatar
    Join Date
    Oct 2005
    genXer, thanx for keeping us on our toes. this information is good to know, but I can't believe how slow Microsoft is, especially with something this dangerous.
    there's always a way in...

  4. #4
    something this dangerous.
    Ok... this is getting repetitive....

    There is nothing dangerous about a vulnerability that can be completely mitigated by doing nothing more than disabling or restricting something that you shuld be running unchecked anyway; ie... scripting.


  5. #5
    Senior Member Spekter1080's Avatar
    Join Date
    Oct 2005
    synja, think of all of the people who are not as, how shall I say,...computer literate as ourselves. This matter could be a danger to them. That is the perspective that I was looking at the matter through.
    there's always a way in...

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country

    Heads up...

    Hackers use BBC story to bait IE exploit

    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    Senior Member Spekter1080's Avatar
    Join Date
    Oct 2005
    wow! that's scary, just a reminder to watch your mail...
    there's always a way in...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts