Experts agree on method, not scope of IIS attacks

BOSTON - One day after reports of Web site attacks surfaced, there was disagreement about how widespread the attacks were and how many Internet users were affected by them.

Security experts on Friday said companies that failed to apply a recent software patch for Microsoft Corp.'s Internet Information Services (IIS) Version 5.0 Web server were vulnerable to a new Web-based attack from an online criminal hacking group, while Microsoft acknowledged that even individuals running the latest patches for IIS and the Internet Explorer Web browser could be affected if they did not make additional configuration changes. But there were widely different accounts of the attacks' impact on companies and Internet users.

Hackers are using a recently patched hole buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS, Microsoft's Web server, said Stephen Toulouse, security program manager in Microsoft's Security Response Center.

Microsoft patched that hole in April when it released Security Bulletin MS04-011, so companies that installed the patch were not vulnerable to compromise, and attackers did not use an unknown or "zero day" hole to compromise IIS, he said. (See: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.)

However, the story is more complicated for Internet users and Web surfers. The recent attacks used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data, he said.

One of those vulnerabilities was in code for Microsoft's Outlook Express e-mail client that interpreted a kind of URL (Uniform Resource Locator) known as a MIME Encapsulation of Aggregate HTML, or MHTML URL, which allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer Web browser. That vulnerability was addressed in a security patch from Microsoft, MS04-013, also released in April, he said. (See: http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx.)

The second vulnerability was discovered last week and Microsoft does not have a patch for it, Toulouse said. That hole, called a "cross zone scripting" vulnerability, allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts.

Even Internet Explorer users who apply the MS04-013 patch could still be compromised, Toulouse said. Only setting the Internet Explorer security level to "high," and having up-to-date antivirus software to spot the Trojan horse program as it is downloaded can prevent infection, he said.

"Due to the way this exploit utilizes an unpatched vulnerability we were just made aware of, the mitigation here is to follow our safe browsing guidance and have updated antivirus software," Toulouse said.