Workaround for Unpatched IE Flaw
A few news outlets have called attention to an unpatched, critical flaw tied to Microsoft's Internet Explorer Web browser that could let bad guys take over vulnerable Windows machines if they browse a site controlled by potential attackers.
The stories note that Microsoft is investigating the reported vulnerability. Meanwhile, computer code showing exactly how to take advantage of the flaw was published online today. The problem resides in a file installed by Microsoft's Visual Studio .Net, but the vulnerable component is also installed by other applications, such as Microsoft Office 2000, and certain software drivers for the latest ATI computer graphics cards.
The easiest way to avoid falling victim to this flaw is simply to use another browser, like Firefox, Netscape or Opera. If you absolutely must use IE, the folks over at the SANS Internet Storm Center have a (non-Microsoft approved) "patch" that will effectively disable the vulnerable portion of the code.
UPDATE, 4 p.m. ET: The SANS Internet Storm Center has moved to "code yellow" over this latest flaw, explaining their rationale this way: "We moved to Yellow as we feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly." It's worth noting that it's a fairly big deal when these guys move to yellow; their chief tech guy Johannes Ullrich says the Storm Center does in fact have a "code red" icon but has never used it. Ullrich says it's mainly just for giggles really, because their definition of "code red" is a condition in which the Internet would be in such a sorry state that you probably wouldn't be able to get to their site to check it anyway (think widespread exploitation of a certain Cisco vulnerability, for example.)
UPDATE, 4:50 p.m. ET: Microsoft has put out an advisory on this problem, with its own, somewhat more technical suggestions on how affected users could fix IE until an official patch is available. Microsoft said it is working on a fix for the problem, which it said it may issue outside of its regular, second-Tuesday-of-the-month patch release cycle, as it did last month to fix another IE problem.
The company also used the advisory to scold the security researchers who today posted instructions showing everyone how to exploit the flaw:
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
Posted by: Julio | August 18, 2005 5:31 PM | Report abuse
Posted by: Anonymous | August 18, 2005 5:40 PM | Report abuse
Posted by: Matt | August 18, 2005 7:39 PM | Report abuse
Posted by: opit | August 18, 2005 7:42 PM | Report abuse
The comments to this entry are closed.