Posted 3/30/2006 10:09 PM
Security hole digs into Microsoft
By Byron Acohido, USA TODAY
SEATTLE — For the second time this year, Microsoft is scrambling to fix a critical security hole in its Internet Explorer Web browser, a flaw cybercrooks found and have already begun to exploit.
The flaw allows intruders to seize control of the PCs of anyone visiting corrupted websites. Thursday, cybercrooks stepped up their weeklong assault by releasing e-mail spam that entices victims to visit such websites, says Dan Hubbard, research director at tech security firm Websense.
Spam recipients are asked to click on links to news stories about the U.S. dollar vs. other currencies. After clicking on the link, the user's PC freezes up for 30 seconds or so, as the website installs a software program that captures online bank account log-ins, then sends the log-ins back to cybercrooks.
"You've really got to be confident about the website you're visiting," Hubbard says.
Microsoft security chief Stephen Toulouse downplays the threat. "We're not seeing a lot of attempts to exploit this," he says. Even so, Microsoft recommends turning off IE's "active scripting" function until an official patch is ready.
Instructions are at support.microsoft.com/security.
The larger issue: Microsoft is being forced for the second time in three months to deal with a feared phenomena in tech security: a vulnerability for which no patch exists, known as a "zero-day" threat.
In December, cybercrooks moved quickly to exploit a similar Internet Explorer flaw, hijacking hundreds of thousands of PCs before Microsoft made a patch available. The emergence of zero-day threats has raised complex dilemmas for the world's largest software maker.
• Timing of patches. Microsoft issues security fixes on the second Tuesday of the month. The company plans to issue a patch April 11, the next scheduled release date.
It needs that time to make sure the patch works in 23 languages and doesn't interfere with applications tied into the browser, Toulouse says.
Meanwhile, tech security companies eEye and Determina this week made temporary patches available for free. Microsoft says it can't vouch for the third-party patches.
Still, eEye founder Marc Maiffret contends Microsoft's monthly patch cycle "isn't good enough to protect customers from zero-day threats."
• Widening attacks. As tech suppliers push more home-entertainment and workplace tools online, they are opening virgin territory for cybercrooks.
Zero-day threats lurk anywhere a PC user supplies data to online software applications such as browsers, e-mail or instant-messaging services and music or video players. Crooks are becoming adept at supplying data that tricks the application into giving up control of the PC.
"None of this activity would be visible to an infected user," says Charles Renert, research director at Determina.