Network News

X My Profile
View More Activity

Non-Microsoft Patches Issued for IE Flaw

A couple of computer-security companies have separately released free patches to plug a critical security flaw in Microsoft's Internet Explorer browser that hacker groups have been exploiting to steal passwords from Windows users.

The third-party fixes from Aliso Viejo, Calif.-based eEye Digital Security and Determina of Redwood City, Calif., came after Microsoft said it did not plan to issue its own update until April 11, the next date in its regular monthly security-update cycle.

Meanwhile, security experts have identified at least 200 Web sites that are being used to install password-stealing malware on Windows PCs when users merely visit one of the sites with IE.

This scenario is shaping up in a familiar way. During the final days of 2005, hackers released code that could be used to break into Windows computers whose users visited certain Web sites or opened image files infected with the code. After thousands of Web sites began using the code to install spyware and other unwanted crud, independent security researcher Ilfak Guilfanov on Jan. 1 released a free patch to fix the problem.

Amid growing criticism for saying it would wait another nine days to issue its own update, Microsoft accelerated its patch process and pushed out a fix by Jan. 5.

Microsoft says its engineers worked through the weekend on a patch for the current flaw, and that the company may issue an update before April 11 "if warranted" and "as soon as it's ready" (that is, tested to Redmond's satisfaction that it does not break or interfere with other Windows components or third-party applications.)

I haven't spoken yet with anyone who has fully vetted either of these unofficial patches, so I can't really recommend that anyone install them at this time. Johannes Ullrich, chief research officer at the SANS Internet Storm Center, said SANS also can't vouch for either patch. But Ullrich said he's briefly examined the eEye fix and found that it should work, although he added that it's difficult to tell whether it will play nice with the final update issued by Microsoft.

My gut tells me Microsoft won't wait until April 11 to release its update, as we will likely see even more Web sites being hacked or created by attackers to host malicious code that leverages the IE flaw to install badware.

By Brian Krebs  |  March 28, 2006; 10:03 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Attacks on Unpatched IE Flaw Escalate
Next: RealNetworks Fixes Critical Media-Player Flaws


Get a Mac.

Posted by: Jerome | March 28, 2006 12:08 PM | Report abuse

Jerome, get a life.

Posted by: Not a Fool | March 28, 2006 12:16 PM | Report abuse

Which version(s) of IE does this effect?

Posted by: Tim 42 | March 28, 2006 12:16 PM | Report abuse

Anyone who didn't switch to Firefox a long time ago was just asking for it.

Posted by: Frank | March 28, 2006 12:26 PM | Report abuse

Indeed, here is the patch for IE:

Posted by: Frank | March 28, 2006 12:27 PM | Report abuse

Frank, see Not a Fool's advice to Jerome.

Posted by: Fred | March 28, 2006 12:30 PM | Report abuse

A lot of users here started to complain when ActiveX was Disabled yesterday. They mostly complained that they could not get into their bank website.

Rather than setting the 'Run ActiveX controls and Plug-ins' to either 'Disable' or 'Prompt', there is another way that will allow you to create a 'white-list' of those controls that are ok. Since a typical user will just click OK when prompted while others will complain that 1/2 of the Internet is broken if set to disable, it could be set to 'Administrator Approved' after specific controls are identified.

This option lets you to identify only those ActiveX controls and plug-ins that you permit to run on each machine by listing their CLSID in the registry. An easy to understand article on this is here (I found it / did not write it):

The registry can be updated on a regular basis with new controls that become approved by the local admin – or – a user could petition that the control for their bank could be added (for example).

Just an idea....

Posted by: Sendai | March 28, 2006 12:35 PM | Report abuse

Fred and Fool - get a life and either a better OS or a better browser.

Posted by: Not an Idiot | March 28, 2006 12:36 PM | Report abuse

I have a life. I also have multiple OSes & multiple browsers. Choose your own devil. No one else cares to hear about it.

Posted by: Fred | March 28, 2006 12:42 PM | Report abuse

arguing on the internet is like...

Posted by: random surfer | March 28, 2006 12:45 PM | Report abuse

Oh Yeah!?!? Well, well... um, uuhh, your computer is dumb!

(he said while smartly placing his arms on his hips, slightly bent forward)

Posted by: Stop It Children | March 28, 2006 12:54 PM | Report abuse

does anyone know if the Ilfak Guilfanov patch works? if so why are there 2 new patches?

Posted by: profmcf | March 28, 2006 1:20 PM | Report abuse

Posted by: Anonymous | March 28, 2006 1:20 PM | Report abuse

'profmcf': The Ilfak Guilfanov patch was for a different IE vulnerability; and yes, it worked very well. It will have no effect on this new problem however.

Posted by: Sendai | March 28, 2006 1:26 PM | Report abuse

I just installed Firefox. Is it my imagination, or is it a lot faster than IE?

I admit it. I was one of those people who assumed that Norton Antivirus and Norton Personal Firewall would protect me from anything.

Last week, with my dial-up connection, I spent hours, and hours, and hours, downloading Windows security patches. I was literally years behind.

Posted by: John Johnson | March 28, 2006 1:34 PM | Report abuse

Firefox is faster than I.E., mainly because it:
a. renders pages faster
b. makes heavy use of your available memory to cache pages, so you get a quick response when going back to a previous page.

Suggestions for Firefox:

- To enhance security, add the "NoScript" extension to keep out Javascript except on sites that you allow.

- To block ads, get the "Adblock" and "Filterset.G" extensions.

- To block Flash animations and embedded videos and audio (i.e. annoying music playing on certain web sites), get the "Flashblock" and "Stop Autoplay" extensions.

Posted by: Ken L | March 28, 2006 2:06 PM | Report abuse

Why doesn't someone release a list of the websites that are dangerous so we can avoid them until Microsoft gets its update out into the marketplace? Better yet, incorporate a way to block our computers from visiting dangerous websites, as we would avoid dangerous neighhborhoods if we were driving a car.

Posted by: Mary | March 28, 2006 2:06 PM | Report abuse

I have tried one of the patches and with it my media player does not work. Once I remove it media player once again functions. Too many programs interacting with one another create just one huge mess.

Posted by: Dorsal Root Ganglia | March 28, 2006 2:13 PM | Report abuse

Microsoft recommends you only visit web pages you know and trust until they get this fixed.

What good is the internet if you can't search out new information from new sources?

Posted by: camofram | March 28, 2006 2:23 PM | Report abuse

If you wish to block infected sites one might investigate using some of the community updated and support `BlockLists` that are used by myself and MANY who are concerned about security on the PC/Net these days. Please check out one site I am part of and read up on the BLM or BlockList Manager and ProtoWall which compares *all* IP Traffic to these block lists and actively filters out those you don't want/need.

Thanks and good luck!

Posted by: Ictinike | March 28, 2006 3:51 PM | Report abuse

Nobody will release a list of blocked sites because that will simply enable propagation of this problem on a more widespread scale. "Show me where to find the buggy code so I can exploit it in more places." Is essentially what that would enable.

Using another browser is not always a viable alternative, in business environments many users cannot simply install software on their laptop without the blessing of the company's IT department.

Personally I think this 'fatal, earth critical' issue is just media starving for a story, if the list of sites with this exploit are small enough that they can indeed be just written down, is it really that critical? I read another article that referenced 'hundereds of sites' being that the internet has trillions of pages, is something effecting .00000000001% of the internet's content really a 'critical' issue?

Turn off the offending options in IE, use another browser (Lynx, anyone?), or just avoid going to warez sites, and you'll be fine.

Posted by: Gregg | March 28, 2006 4:26 PM | Report abuse

Greg, Check the site I listed and then comment on blocklists and their effectiveness.

Posted by: Anonymous | March 28, 2006 4:30 PM | Report abuse

Sorry, my fingers typed faster than my brain when I wrote out the above post; I ment to word it as nobody *should* post a list of sites using this exploit, for the reasons I stated. Not that there are not services out there that can be used to block access to sites with this kind of content.

Posted by: Gregg | March 28, 2006 4:36 PM | Report abuse

. . . "Microsoft says its engineers worked through the weekend...and...we may get out there sooner than the 11th..."

Gee, pulling out all the stops!

Posted by: Here we go again | March 28, 2006 5:32 PM | Report abuse

There is already software that actually loads
a list of blocked sites on IE and firefox
try spywareblaster
it's free and it gets updates
Of course it is not a green-cure-it-all pill
but it's better than nothing.

Posted by: Ajozz | March 28, 2006 5:49 PM | Report abuse

I wish Bill would wise up and split his gig
into APPco and OSco. That way, things wouldn't be so intertwined. Mickeysoft
is just too much of a lumbering behemoth
to get anything done in a quick efficient manner.

Posted by: Gazimba Mobutu | March 28, 2006 6:07 PM | Report abuse

I've been using IE7 for a while now. Am I equally at risk with IE7 or i am safer now? How can I detect these malwares running on my machines?

btw, I use Firefox whenever I can, but since some sites are developed for IE, I've to use it (you want examples? eCollege, OWA and any and most sites that say 'Best viewed with IE' and actually mean it).

Posted by: Denverite | March 28, 2006 6:21 PM | Report abuse

microsoft might actually be better off and the rest of in the bargan (stuck with windows purchased for us to use) if the justice department had split microsoft into smaller companys. not that they would have been a kinder gentler software giant. They would have had to sort out the pile of spagetti code that is windows

Posted by: D | March 28, 2006 6:35 PM | Report abuse

You don't need IE anymore,
Firefox is fast stable and secure, and it's better than ever and being updated constantly, so do yourself and your computer a favor and replace the broken down dead IE with firefox. Their are no more excuses not to.

Posted by: nick | March 28, 2006 6:46 PM | Report abuse

Hey, while you're ditching IE for Firefox, go ahead and get yourself loaded up with Ubuntu. Say goodbye to Microscum for good. :-)

Posted by: Cassandra | March 28, 2006 7:03 PM | Report abuse

IIiihaaaa! I love Gazimba Mobutu idea:Appco and Osco. it would cut the update release decision in half. The bigger the co the bigger the cra*.
please try firefox ancrd sto worrying about IE flaws...

Posted by: ribatejo from SSA | March 28, 2006 7:24 PM | Report abuse

A block list that forbids all contact with known hostile sites by using a customized HOSTS file:

A block list that, combined with correct settings in I.E.'s Restricted Zone, cripples the ability of known hostile sites to attack your system through I.E.:

Posted by: Ken L | March 28, 2006 7:27 PM | Report abuse

For the rabid firefox fans out there, search for 'firefox exploits' and enjoy reading up on all the lesser known but just as potentially damaging flaws in firefox before you bash IE.

Win back the internet by pulling wool over your eyes, just because it doesn't say 'Microsoft' on it doesn't mean it's better.

Posted by: Win32dev | March 28, 2006 7:32 PM | Report abuse

Modifying or changing your system's HOST file requires administrator rights since this is a Windows system file.

Adding a list of sites to I.E.'s Restricted Zone does not require administrator rights. You're simply using a security feature built into I.E. But instead of adding sites one by one, you're adding over 15,000 threat emitters in one shot.

The Restricted Zone block list referenced by MVPS,

can be installed by right-clicking the file and selecting "Merge." It can take a few seconds for the changes to be made.

Posted by: Ken L | March 28, 2006 7:45 PM | Report abuse

I said firefox is constantly being developed, any exploits are caught and squashed early on. If you want a real comparison, go to , the "in the wild" exploits you are talking about are for old versions of firefox so a simple update fixes that problem. Firefox is 10 times more secure than IE, hands down, end of story.

Posted by: Win32dev | March 28, 2006 8:18 PM | Report abuse

I.E. sucks to high heaven, why do people insist on STILL using the POS???

Posted by: Tom | March 28, 2006 8:37 PM | Report abuse

"Hey, while you're ditching IE for Firefox, go ahead and get yourself loaded up with Ubuntu. Say goodbye to Microscum for good. :-)"

Excellent advice. Ubuntu is GREAT.

Posted by: TomR | March 28, 2006 8:39 PM | Report abuse

funny, because IE is about 10 times more powerful and user friendly... and supports 10 times more usless code and scripting. Has less bugs, and is faster where it needs to be.

But I still use firefox simply for the tabs.

Posted by: docer | March 28, 2006 8:41 PM | Report abuse

plus lets get real... anyone with a brain uses a firewall (not windows), and an antivirus... you think any of those (updated) will let the little bugger in to open up a fatty backdoor? Not.

IE is no more less secure than firefox. It is more popular though.

Posted by: docer | March 28, 2006 8:44 PM | Report abuse

Can't we all just get along?

Posted by: Adam | March 28, 2006 8:57 PM | Report abuse

Dear other poster using my handle. Since you didn't use the name you origionally posted with, I can't respond to which of the multitude of Firefox evangalists you were.

It's being developed, it's gaining a userbase, as long as those two are true, more and more exploits will be found, and abused.

I went to that website you pointed out, shows firefox with 27 advisories, and IE with 81.. Now I'm not a math professor, but ten times 27 is not 81, except for extremely large values of 81. So where does this magical 'Firefox is ten times more secure than IE' statement come from? I'm not sure, but it smells like your rear.

Posted by: Win32dev | March 28, 2006 9:16 PM | Report abuse

yes we can get along. as long as we seperate and quickly go in all directions, without looking back.

oh. and firefox is the patch. unless you are afraid of your computer.

Posted by: blistering headlines | March 28, 2006 9:38 PM | Report abuse

I love ubuntu, it is so stable, at lease on my box. Linux seems to be looking brighter and brighter....

Posted by: B. House | March 28, 2006 11:07 PM | Report abuse

People keep wondering why most users still use IE. Probably it is simply most PC manufcturers ship with no other browser than IE. If more PC manufacturers shipped with alternative browsers set as the default browser then maybe things might improve a lot more quickly.

Posted by: Anonymous | March 29, 2006 12:24 AM | Report abuse

What puzzles me is is why Microsoft say of a fix for this "...if warranted we’ll release that as soon as it’s ready to protect customers..." With such a serious problem, one user being affected because Microsoft prefer to only issue things with its normal monthly updates is surely one user too many. Maybe the moral view in Microsoft is different from the moral view outside.

Posted by: Anon | March 29, 2006 6:03 AM | Report abuse

I understand that F-Secure Anti-Virus/ Internet Security protects against this vulnerability (see posting dated Monday, March 27, 2006). Maybe it is time for some users to review which third party software they use for protection.

Posted by: Steve | March 30, 2006 2:38 AM | Report abuse


Posted by: hyishuai | March 30, 2006 8:01 PM | Report abuse

And,I'm Chinese.

Posted by: hyishuai | March 30, 2006 8:07 PM | Report abuse

What you know, eh? That not Chinese that Korean.

Silly Boy!

Posted by: Sook Lee | March 30, 2006 9:09 PM | Report abuse

Do you know where China is,my friend?Remember,guys,don't despise a country whose history go through more than five thousand years.

Posted by: yeecool | March 31, 2006 7:56 PM | Report abuse

How much respect can you have for a country that's been around for 5000 years, but still hasn't invented the fork??

Posted by: wasteofbandwidth | April 1, 2006 1:33 PM | Report abuse

Chineese Simple - to - English conversion from Bablefish

Why doesn't need to have the IE essence actually to have simply, more convenient outward appearance browser? Microsoft cannot persist in the haughty manner to imitate the others! !

I still don't understand though.

Posted by: me | April 3, 2006 12:23 PM | Report abuse

Why do people still use INTERNET EXPLORER??? Because those people are blind ignorant SHEEP!!!

Don't be SHEEP!!! Quit being such IE Idiots!!! SHEEP get slaughtered because they use IE. Don't be such stupid idiot SHEEP!!!

Use FIREFOX or OPERA. Only use IE for Windows Updates, Office Updates, and for any SHEEP-following websites that only work in IE.

Posted by: EAT SHEEP | April 7, 2006 7:20 PM | Report abuse

Baaaah, Baaaah, Baaaah

Posted by: Lamb Chops | April 7, 2006 7:23 PM | Report abuse

Sheesh... you people. I don't really know whether I want to laugh or cry.

As far as I can discern, the original point of this post was to raise awareness of a security exploit in Internet Explorer. In other words = getting information out which could help anyone possibly experiencing troubles.

But what ends up happening in this list of comments? Petty bickering, nit-picking between minute difference in browsers.

Have none of you caught the idea of all this yet? It is choice.

I use ubuntu on my laptop. It's not a very fast computer so that's what fits me best. In the past I did have a reasonably nice desktop which came with windows but I had a lot of problems with it. I didn't like the fact that I had to have all manner of virus/malware/spyware detectors running day and night to keep my pc safe.

So, I chose to try out Linux and see what it had to offer. Thankfully I found Ubuntu and I have never looked back. Do you know why? Simply because of its community. Offering and asking help off one another - and charging no money for the priviledge of speaking to another human being who's likely as not been in whatever fix you have been.

Many of you may well prefer Internet Explorer to anything else. It's the minimum fuss, it forms a great foundation of Windows XP and it is what you know. Plus as has been mentioned it is very poplar as anybody with Windows (from 98 and above I believe - correct me if I'm wrong) has it right there ready to go on their computer.

I'm most certainly not going to start going into details with you regarding the security of either browser as all I have to tell you is that in ~my~ experience my desktop used to accumulate a lot of nasty little things whenever I used IE, but not when I used firefox. Can't get much simpler than that. But it is still only my experience, I must admit.

Win32dev - I am assuming you have always had a very possitive experience with IE and probably windows in general, but to suggest running a search for "firefox exploits" is ludicrous. Running a similar search for IE would result in a fair few results but does that make both browsers useless and totally unsafe? No. You'd be rubbishing your own arguement.

Therefore, judge Microsoft by it's managment business acumen - not on the number of ways very sad, and very lonely people can hack into your system to one end or another.

And stop telling each other you smell - it's childish and really has nothing to do with computing :)

Make your choice wisely. Whatever your decision is it's never wrong - it is merely your own.


Posted by: Ben | April 15, 2006 10:24 PM | Report abuse

Even with acceptance that it's not my right to have it, that He can and will spill it elsewhere just to drive that fact home, it still hurts.

Posted by: CLONAZEPAM | May 30, 2006 4:03 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company