Network News

X My Profile
View More Activity

Workaround for Unpatched IE Flaw

A few news outlets have called attention to an unpatched, critical flaw tied to Microsoft's Internet Explorer Web browser that could let bad guys take over vulnerable Windows machines if they browse a site controlled by potential attackers.

The stories note that Microsoft is investigating the reported vulnerability. Meanwhile, computer code showing exactly how to take advantage of the flaw was published online today. The problem resides in a file installed by Microsoft's Visual Studio .Net, but the vulnerable component is also installed by other applications, such as Microsoft Office 2000, and certain software drivers for the latest ATI computer graphics cards.

The easiest way to avoid falling victim to this flaw is simply to use another browser, like Firefox, Netscape or Opera. If you absolutely must use IE, the folks over at the SANS Internet Storm Center have a (non-Microsoft approved) "patch" that will effectively disable the vulnerable portion of the code.

UPDATE, 4 p.m. ET: The SANS Internet Storm Center has moved to "code yellow" over this latest flaw, explaining their rationale this way: "We moved to Yellow as we feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly." It's worth noting that it's a fairly big deal when these guys move to yellow; their chief tech guy Johannes Ullrich says the Storm Center does in fact have a "code red" icon but has never used it. Ullrich says it's mainly just for giggles really, because their definition of "code red" is a condition in which the Internet would be in such a sorry state that you probably wouldn't be able to get to their site to check it anyway (think widespread exploitation of a certain Cisco vulnerability, for example.)

UPDATE, 4:50 p.m. ET: Microsoft has put out an advisory on this problem, with its own, somewhat more technical suggestions on how affected users could fix IE until an official patch is available. Microsoft said it is working on a fix for the problem, which it said it may issue outside of its regular, second-Tuesday-of-the-month patch release cycle, as it did last month to fix another IE problem.

The company also used the advisory to scold the security researchers who today posted instructions showing everyone how to exploit the flaw:

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

By Brian Krebs  |  August 18, 2005; 12:48 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: SoBig.F's Second Anniversary
Next: Customs Crashed by Zotob

Comments

Ok, Matt. I know you're lurking around here somewhere. Why should we use IE and not immediately flee to another browser?

Posted by: Julio | August 18, 2005 5:31 PM | Report abuse

Note that the ISC has scolded microsoft for
their repeated attempts at a fix that have proven entirely ineffective.

Posted by: Anonymous | August 18, 2005 5:40 PM | Report abuse

If you want to use another browser, I have no problems with that. Just don't let your guard down on the web because you are not running IE.

The interesting thing to note about this exploit is that it (so far) does not appear to have an elevation of privilege component. So if you are running Windows with limited rights (not as admin), the effect of this exploit if you were to be targeted would be about zip.

I realize not everyone is savvy enough to run LUA on XP, but it is notable.

Posted by: Matt | August 18, 2005 7:39 PM | Report abuse

There are lots of browsers out there. I keep a few installed and only use basic IE for MSN. If I can't get proper results, tsk. Better that than malware.

Posted by: opit | August 18, 2005 7:42 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company