Network News

X My Profile
View More Activity

Check Your Exposure to Microsoft Flaw

There has been quite a bit of concern in the past 48 hours over the release of an exploit for a newly discovered critical security hole in Microsoft's Internet Explorer browser that could let nasty Web sites seize control over visitors' computers.

Microsoft says it is still investigating the vulnerability, and yesterday published some information about which of its systems are vulnerable to this threat.

Microsoft acknowledged Monday that even computers running Windows XP with the latest patch and security bundle (a.k.a. Service Pack 2) are exposed to this flaw if they surf the Web with IE. The SANS Internet Storm Center changed its "infocon" status from green to yellow last night because Microsoft has not yet released a fix.

And once again, Security Fix notes that while the Department of Homeland Security's US-CERT also warns about this threat, it still does not suggest that users even consider cruising the Web with any other browser.

Now, the folks at the Storm Center have put up a simple script that shows site visitors whether they are vulnerable to this latest exploit (that is, whether the site could have taken complete control over your machine if it were so inclined.)

Sansscreen_1Look at the area near the top center of the page, under the pink text box (see screen shot at right). You may have to refresh or reload the page after initialy visiting the site to see your diagnosis. If you browse the site with IE, chances are it will say you are vulnerable. If you go there in any other browser, most likely it will say you're okay.

As of this writing, nearly 50 percent of those who visited the site since midnight were using IE and were vulnerable to this attack. Considering the background of the folks most likely to browse the Storm Center regularly, that is a troubling percentage.

Johannes Ullrich, chief technology officer for the Storm Center, said the site regularly gets 30,000 to 40,000 unique visitors per day. About 40 percent of visitors browse it using Firefox, Ullrich said, while another 3 percent use Opera (neither browser is vulnerable to this flaw.)

Browser flaws -- especially those that allow attackers to install software and grab control of the victim's machine -- are nearly always first seized upon by purveyors of adware and spyware, but they can also be used to plant viruses, worms and "Trojan horse" programs as well.

In this case, the exploit released for this vulnerability is exceedingly easy to use. If the admittedly small sample size evidenced by the SANS experiment is any indicator, this flaw could very soon create some serious problems for IE users. 

By Brian Krebs  |  November 22, 2005; 10:30 AM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Check Your Exposure to Microsoft Flaw
Next: Check Your Exposure to Microsoft Flaw

Comments

Once again, ActiveX comes around to bite Microsoft.

Posted by: William | November 22, 2005 11:18 AM | Report abuse

Umm...not to defend ActiveX, but.... javascript?

Posted by: AJ | November 22, 2005 11:29 AM | Report abuse

Hey, what with using Safari on the Mac I'm feeling all left out from this spyware fun! :D

Posted by: John Muir | November 22, 2005 11:39 AM | Report abuse

People have already pointed out that this flaw amounts to a denial of service attack on Mozilla Firefox (and presumably other mozilla-based, javascript-enabled browsers).

Having your browser lock up isn't too scary--especially when it isn't deeply integrated into your other OS functions like IE is--but it is annoying.

Posted by: ouij | November 22, 2005 12:14 PM | Report abuse

Users will be much better off when and if Apple makes a general release of OS X for Intel platform. As I type this from my Powerbook, I know I am not affected.

Posted by: Troy | November 22, 2005 1:16 PM | Report abuse

Don't feel left out, OSX folks.

OSX/Safari is listed in the SANS top 20 vulnerabilities:

http://www.sans.org/top20/#u2 "Mac OS X also includes the Safari web browser. Multiple vulnerabilities have been found in this browser and in certain cases exploit code has also been posted publicly."

Posted by: anonymous | November 22, 2005 5:06 PM | Report abuse

I really would like to see some names of who these criminals are. Shine the light on these cockroaches. Who wrote and launched the first Sorber attacks, or previous other viral and worm attacks for that matter? Have they been apprehended? What ISPs did they use to launch the initial attack? What countries were the attacks launched from? Are there some ISPs and countries that are particularly notorious for being used by attackers over and over again? Can internet traffic from these notorious ISPs and countries be more carefully monitored? And why can't ISPs or the dozen or so Internet server complexes around the world serve as the first line of defense against worms and viruses?

Posted by: Allron K Wilson | November 23, 2005 2:27 PM | Report abuse

Please, would everybody using IE just ignore Microsoft's FUD about "may impair functionality":
http://support.microsoft.com/kb/174360

and right this minute set their Internet zone to High security settings?
http://www.pcworld.com/howto/article/0,aid,122500,00.asp [#5]
(Eliminate the resulting "ActiveX disabled" dialog box with AutoClose:
http://www.frankisoft.com/ )

This will at least gain you a breathing space to decide what steps to take next. At worst, you can always set your Internet zone back to the default Medium security settings.

Everyone in the world should not be able to run unknown code on your computer; the wild, wild Web is not trustworthy, no way, no how; thus, active-scripting functionality should not be exposed to it, but only to sites which the user explicitly permits (that's why the Restricted Sites and Trusted Sites zones have lists).

Posted by: Mark Odell | November 23, 2005 5:15 PM | Report abuse


Does installing Sun's Java JRE 1.5.0 make IE more secure from javascript exploits? I am under the impression that Sun's JRE in some sense replaces the insecure MS VM that is used by default for java in IE. There is an item listed as "Use JRE 1.5.0_04 for " on the "Advanced" tab of Internet Options that is selected - does this mean that my IE is immune from this exploit since it is using Sun's VM instead of Microsoft's? Could someone that more fully groks java enlighten me please?

P.S. Yes, I already use Firefox for 99% of my browsing.

Posted by: te | November 29, 2005 5:13 PM | Report abuse

>>Does installing Sun's Java JRE 1.5.0 make IE more secure from javascript exploits?

No, Java and JavaScript are different beasts, and are handled separately in IE.

>>I am under the impression that Sun's JRE in some sense replaces the insecure MS VM that is used by default for java in IE.

Correct.

>>There is an item listed as "Use JRE 1.5.0_04 for " on the "Advanced" tab of Internet Options that is selected - does this mean that my IE is immune from this exploit since it is using Sun's VM instead of Microsoft's?

Not from this JavaScript exploit, but from other Java exploits such as the ByteVerify trojan:
http://www.mnin.org/write/2005_jpegtodll.html

>>Could someone that more fully groks java enlighten me please?

Determining which JVM is installed:
* http://www.thebulliondesk.com/html/faq.htm#tech
Installing Sun JRE 1.5.0:
* http://www.java.com/en/download/help/5000010200.xml
Switching between the Microsoft VM and the Sun JRE:
* http://www.java.com/en/download/help/5000020100.xml
Uninstalling the Microsoft VM:
* http://www.windowsitpro.com/articles/index.cfm?articleid=38206&cpage=14

I strongly recommend that everyone using IE set 'Java permissions' to 'Disable Java' in the Internet zone (selecting High security settings does NOT do this automatically).

Posted by: Mark Odell | November 30, 2005 11:54 PM | Report abuse

haha i don av a clu wat u lot r on a bout!!!!! blablabla

Posted by: annonymus | December 13, 2005 8:54 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company