Microsoft Issues IE Patch Early
The cumulative patch for Internet Explorer 5.01, 5.5 and 6.0 is in fact a replacement for a February fix. Rated "Critical" by Microsoft, the highest warning in the Redmond, Wash.-based developer's four-step scale, the company said that "customers who use Internet Explorer...should apply the update immediately."
Earlier this month, Microsoft posted a temporary fix and then a tool for cleaning infected systems. On Wednesday, Dean Hachamovitch, who oversees development for IE, promised that a patch would be issued within a week.
The vulnerability exploited by the June attack--which used the Download.Ject Trojan to hijack machines and then introduce information-stealing key loggers and other code to rip off bank and credit card account numbers--was officially dubbed "Navigation Method Cross-Domain Vulnerability" by Microsoft.
Attackers can remotely gain control of a PC running IE if they're able to entice users to a malicious Web site. Once the user has surfed to the hacker's site, the attacker can use the vulnerability to run code, such as Javascript, across a security boundary, or domain, within the browser.
The Download.Ject attack, however, didn't rely on getting users to visit a malicious site, but instead fed them infected pages from previously-compromised Web servers running Microsoft's Internet Information Services software. That tactic was stymied earlier by Microsoft when it published a work-around that changed Windows' configurations.
The other vulnerabilities in this collective patch involve flaws in how IE handles both .bmp and .gif images.
The most serious of the trio, said Alfred Huger, vice president of engineering for Symantec's virus watch group, is the cross-domain gaffe. "We've seen multiple exploits in the wild," he said. "It's the most serious since it's been actively exploited for the last month."
Exploits for the .bmp vulnerability also exist, said Microsoft, and proof-of-concept code has been published for the .gif issue..
All three of the vulnerabilities packaged Friday by Microsoft can be exploited remotely, and allow hackers to grab control of machines and load software of their choice--such as a Trojan to open a backdoor--or do anything someone with administrator privileges can do on the system, including deleting files or reformatting the drive.
While the unusual timing of the patch may have fueled suspicions that something else was afoot--perhaps Microsoft was trying to get ahead of an impending attack?--that wasn't the case.
Microsoft had promised the patch for weeks, and on Wednesday, Hachamovitch said it would be released as soon as he was satisfied quality assurance testing was completed.
Nor is there any evidence of another exploit of the cross-domain vulnerability. "Nothing's brewing on our DeepSight network," Huger said, referring to Symantec's global system of sensors and systems that tracks Internet activity.
For more on Microsoft security efforts, see CRN.
This story courtesy of TechWeb.