Hackers jump through holes in Microsoft patch

Free Newsletters

Log-in | Register

Hackers jump through holes in Microsoft patch Newest vulnerability is one Microsoft said it fixed weeks ago
By Paul Roberts, IDG News Service September 08, 2003			E-mail Printer Friendly Reprints Slashdot It!

Security experts are warning Microsoft customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser, potentially allowing remote attackers to run malicious code on vulnerable machines.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

The vulnerability is similar in scope to those exploited by devastating worms such as Nimda, Badtrans and Klez, according to one security company. And, to make matters worse, the flaw is one Microsoft said it fixed weeks ago.

The security hole, known as the "Object Data vulnerability," affects Internet Explorer (IE) versions 5.01, 5.5 and 6.0. It concerns the way that IE processes HTML (Hypertext Markup Language) pages containing a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's machine. No user actions would be required aside from opening an e-mail message or visiting a Web page containing the attack.

On August 20, Microsoft released a patch for IE, MS03--032, that it said closed the hole, in addition to patching other security holes in IE. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp.)

According to a message posted to a prominent security discussion group Sunday, however, the vulnerability still exists on machines using IE even after applying the patch.

That message, posted by an individual using the name "http-equiv@excite.com," contained sample code that showed IE is still vulnerable to attack using the vulnerability from HTML pages that are created dynamically using computer script, like JavaScript, embedded in Web pages or e-mail messages.

A Microsoft spokesman confirmed that the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin.

However, Microsoft still recommends that customers install that patch, he said.

The Redmond, Washington, software company is not aware of any customers who have been attacked using the vulnerability, he said.

However, security researchers know of at least one exploitation of the Object Data vulnerability that is already circulating on the Internet, according to a statement by security company Secunia Ltd. of Copenhagen, Denmark.

An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, "drg.exe," that installs a file called "surferbar.dll" onto the victim's computer, according to the Secunia alert.

That file adds a new bar to the affected users' Internet Explorer Web browser with links to pornographic Web sites, the company said.

The Object Data vulnerability is also similar to an earlier IE security hole dating to 2001, MS01-020, that was exploited by virulent e-mail worms such as Nimda and Klez, according to Secunia.

Security experts familiar with the issue say that Microsoft's failure to thoroughly test their patch against attack scenarios using the Object Data vulnerability is a black eye for the company.

"Microsoft should be ashamed. This is a major embarrassment," said Richard Smith, an independent security analyst based in Boston.

The problem with the Object Data vulnerability is similar to a hole found in a prior Microsoft patch, according to Israeli security company GreyMagic Software, which issued a report on the problem in Feb. 2002.

That fact points to problems with Microsoft's patch testing process, Smith said.

"They need to go back and look at how this slip-up occurred. They keep saying they can't prevent bugs, but when the same problems keep occurring over and over, that's a management issue," he said.

A Microsoft spokesman said the company is committed to keeping customers data safe and will take "appropriate action" to protect customers when its investigation into the new exploits is complete.

In the absence of a patch from Microsoft to fix the problem, security experts recommended disabling support for Active Scripting on affected IE versions. Failing that, users should consider uninstalling the popular browser to protect themselves from attack, experts said.

E-mail

Printer Friendly

Reprints

Slashdot It!

TOP NEWS:

» Four quick tips for choosing an IM security product
71 percent of businesses will invest in real-time messaging this year. If you're one of them, be sure to protect your enterprise

» Forrester analysts ID hot IT jobs
Research group finds 16 IT roles with a promising future

» Nvidia claims 10 hours of HD video on Tegra chip
The Tegra 600 and 650 can be used with hard disk drives and are designed partly for mobile Internet devices

» Database vendors add Google's MapReduce
Greenplum and Aster Data Systems will support Google's programming technique, developed for parallel processing of large data sets across commodity hardware

» Network management: Tips for managing costs
New technologies, changing requirements, and ongoing equipment maintenance and upgrades cost money, but there are ways to manage expenses

» EMC targets SMBs, branch offices with new low-end storage
Celerra NX4 highlights include thin provisioning, snapshot technology for data recovery and backups, and Web-based console for management of storage volumes

FIVE WAYS TO REDUCE IT COSTS IN 2009
The demands on IT have never been greater, particularly in light of lower revenue and uncertain demand for the goods and services. There are many ways that IT can help organizations adjust to this new economic environment. Learn about five key technology trends that can immediately impact your organization's bottom line, and how to build a strategy to implement these technologies within your current budget. Sponsored by: Riverbed

» Click here to view this Webcast

The Path to Enterprise Security
This is your comprehensive guide to Enterprise Security. In it you'll find solutions to the most pressing security threats facing you and your company. Learn the latest on insider threats and how to effectively minimize risk within your organization. Sponsored by Nokia

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

The Spirit of Innovation: 100 IT Leaders Speak Out - A new AT&T-sponsored survey explores how leaders perceive IT's role in stimulating creativity. Additionally, you can hear...
An AT&T White Paper: Enterprise IPTV Solution - Discover two components of a solution that allows you to produce and broadcast video to internal and external audiences:...
HP Architect Planning Tools for MS Office Communications Server 2007 - This user guide provides details on the HP Arch. Planning Tool for OCS 2007: - Detail on various input parameters and ...
When Content is King: Content Delivery Networks (CDNs) & You - Consumers now expect to see rich media on corporate websites. Learn how and why some businesses are turning to outside vendors...
HP ProLiant BL480c Server Blade Microsoft Exchange Server 2007 - The Exchange deployments can incorporate different server, storage and application availability features to support tiered...
Best practices for Microsoft Exchange 2007 with HP Servers - After extensive testing, we present you with configuration and performance data, best practices, and recommendations to ...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
AT&T - New from AT&T: Discover Fixed-Mobile Convergence Now AT&T - Securing the Converged Enterprise I AT&T - An AT&T Article: When Content is King AT&T - The Spirit of Innovation: 100 IT Leaders Speak Out AT&T - Machines That Speak: The Machine-to-Machine Wireless Network AT&T - The Top 10 Best Practices for Server Virtualization Planning Rocket Gang - Jazz Meets Development in IBM Rational Team Concert Nokia - Interaction between Nokia Intrusion Prevention and Nokia Firewall Riverbed - Five Ways to Reduce IT Costs in 2009 AT&T - AT&T Article: Reinventing the Telephone with VoIP (ISC)2 - I'm an SSCP Go-To Guy. See what I do. Click here! AT&T - AT&T Business Continuity Survey on Risk Management AT&T - Maximizing Mobility in Communications Rackspace - The True Value of a Hosting Provider AMD - The Future is Fusion. Only from AMD. Learn more. Nokia - The Case for a Specialized Security Platform Intersystems - Develop and integrate faster with InterSystems Ensemble. AMD - Learn how the new Quad-Core AMD Opteron(TM) processor improves performance AT&T - Securing the Converged Enterprise II AT&T - An AT&T White Paper: Enterprise IPTV Solution HP - HP Architect Planning Tools for MS Office Communications Server 2007 HP - Best Practices for Deploying Microsoft Office SharePoint Server 2007 HP - HP ProLiant BL480c Server Blade Microsoft Exchange Server 2007 HP - HP Smart Array P800 Controller and HP MSA60 2,500 Oracle - Top 3 Ways to Cut Costs in 2009 with Oracle Content Management AMD - See the power of the new Quad-Core AMD Opteron(TM) processor ASG Software - Transform your IT Organization now! ISC2 - Network Security Solutions Guide		Infoblox - The Costs and Impacts of DNS and IP Address Management Riverbed - Virtualization Solutions Guide Armstrong - Delivering Actionable Enterprise Architecture HP - HP StorageWorks products-control, consolidation and confidence. Vision Solutions - Solving Downtime Challenges to Manufacturing and Supply Chain Operations Oracle - The Top Three Ways to Cut Costs in 2009 HP - Predict the future with HP Insight Power Manager HP - Affordable technology-no compromise. HP server solutions. Motorola - The Enterprise Mobile Messaging Benchmark Report Data Domain - IDC Workbook: Assess the Value of Deduplication for your Storage Consolidation Initiatives Vision Solutions - Real-Time, On-Demand Information for Business Intelligence and Data Integration Samsung Printing Solutions - control workflow, costs and operations Check Point - Check Point Endpoint Security White Paper Get to know - BlackBerry Professional Software-find out more Oracle - Oracle Universal Content Management Oracle - Information Workplace Platforms: Oracle vs. Microsoft Oracle - Performance Monitor: ERP at the Speed of Light Sony - Discover the advantages of Sony LTO media at sony.com/lto. Sun - Virtual Machines: Sun's xVM Virtualization Portfolio Verisign - The Latest Advancements in SSL Technology CA - Plan IT better, Manage IT better. CA - Manage your IT more effectively. Intel - Processor-enabled Virtualization. That's IT as it should be. Microsoft - Get the virtualizing power of Windows Server 2008 with Hyper-V Microsoft - Microsoft SQL Server 2008. Read Case Studies & Try for Free Microsoft - Learn about the software-based VoIP solution from Microsoft. Oracle - Nucleus Report: Who's ready for SMB? Qwest - Learn how Qwest voice and data solutions can save you time.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist TecChannel :: TecCommunity