FINALLY: A real fix for the IE hole?
Source: http://www.internetnews.com/security...le.php/3387301
Quote:
July 28, 2004
Microsoft: Out-of-Cycle Security Patch Coming
By Ryan Naraine
Microsoft (Quote, Chart) plans to release an out-of-cycle security patch next week to fix a software flaw that led to the sophisticated Download.Ject malware attack, company officials disclosed on Wednesday.
The company will release the patch, which is currently being tested, next week as a "critical" security update to provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack.
Dean Hachamovitch, Microsoft group product manager for Internet Explorer, made the announcement, saying the patch would cover IE versions 5.01, 5.5 and 6.0.
The software giant has already released a Trojan detection and removal tool to help PC users clean up after the attack, which targeted well-known software flaws to install keystroke loggers and other malicious code on infected systems.
The 118 kilobyte removal tool is programmed to remove the payload delivered by the server-side Download.Ject Trojan. The Trojan, also known as Scob, exploited vulnerabilities in Microsoft's IIS 5.0 servers and IE to distribute malware programs. It started spreading late last month after unknown attackers uploaded a small file with JavaScript to infected Web sites running Microsoft IIS 5.0 servers.
A user visiting an infected site with IE automatically became infected with the JavaScript, which triggered a download from a Russian Web site. The download included Trojan horse programs like keystroke loggers, proxy servers and other back doors providing full access to the infected system.
In addition to the Trojan detection and removal tool, Microsoft issued a slew of Windows configuration changes aimed at thwarting the Download.Ject attack. Hachamovitch said that those changes did not provide a complete fix to the core vulnerability.
"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Hachamovitch said.
Microsoft is also testing a clean-up tool for the latest mutant of the MyDoom virus that started squirming through major search engines earlier this week. The virus has been programmed to launch of distributed Denial of Service attacks against the Microsoft.com home page.
When it's released, the tool will be available for download here.
IMO, It's about damn time they get it fixed and patched. Took em what, 3 weeks?
IE Patch Released...INSTALL INSTALL INSTALL!
The patch has been released already! And on a Friday no less, thanks M$. :mad:
http://www.microsoft.com/technet/sec.../MS04-025.mspx
Quote:
Microsoft Security Bulletin MS04-025
Cumulative Security Update for Internet Explorer (867801)
Issued: July 30, 2004
Version: 1.0
Summary
Who should read this document: Customers who use Microsoft® Internet Explorer
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS04-004, which is itself a cumulative update.
Caveats: This update does not include hotfixes for Internet Explorer provided since the release of MS04-004. Customers who have received hotfixes from Microsoft or their support providers since the release of MS04-004 should review the FAQ section for this update to determine how this update might impact their operating systems.
Tested Software and Security Update Download Locations:
Affected Software:
•Microsoft Windows NT® Workstation 4.0 Service Pack 6a
•Microsoft Windows NT Server 4.0 Service Pack 6a
•Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
•Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
•Microsoft Windows XP and Microsoft Windows XP Service Pack 1
•Microsoft Windows XP 64-Bit Edition Service Pack 1
•Microsoft Windows XP 64-Bit Edition Version 2003
•Microsoft Windows Server® 2003
•Microsoft Windows Server 2003 64-Bit Edition
•Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) – Review the FAQ section of this bulletin for details about these operating systems.
Tested Microsoft Windows Components:
Affected Components:
•Internet Explorer 5.01 Service Pack 2: Download the update.
•Internet Explorer 5.01 Service Pack 3: Download the update.
•Internet Explorer 5.01 Service Pack 4: Download the update.
•Internet Explorer 5.5 Service Pack 2: Download the update.
•Internet Explorer 6: Download the update.
•Internet Explorer 6 Service Pack 1: Download the update.
•Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the update.
•Internet Explorer 6 for Windows Server 2003: Download the update.
•Internet Explorer 6 for Windows Server 2003 (64-Bit Edition): Download the update.
Quote:
Yea spyder, but some people get scared by something called mozilla. Particulraly my mother. She doesn't want to start using thunderbird over outlook because it "sounds weird".
LOL, yeah I have the same problem with friends and family.
