Network News

X My Profile
View More Activity

Attackers Exploit Unpatched Explorer Flaw

Microsoft is warning Windows users that hackers are exploiting a newly discovered flaw. It enables criminals to hijack Windows PCs if users merely visit a hostile Web site with an Internet Explorer browser or open a specially crafted e-mail message.

The vulnerability stems from a weakness in the "animated cursor" function built into most Windows machines. The company's home campus in Redmond, Wash., says it is working on a security update to patch the hole, but cautions customers about visiting unfamiliar Web sites or viewing unsolicited e-mail. This vulnerability applies to every version of Windows and Internet Explorer, including version 7. However, Microsoft says that people browsing with IE7 on the new Windows Vista operating system should be protected from this attack.

Microsoft's advice about visiting "untrusted Web sites" is not entirely helpful or complete. We've seen plenty of these attacks executed through legitimate Web sites that attackers have seeded with malicious software. It may be best to choose another browser, such as Mozilla's Firefox or Opera Software's Opera. This is an excellent example of how running Windows under a limited user account can save you from worrying about these kinds of threats.

By Brian Krebs  |  March 29, 2007; 3:10 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Fortune 500s Unwittingly Become Spammers
Next: Microsoft Rushes Out a Security Update

Comments

However, Microsoft says that people browsing with IE7 on the new Windows Vista operating system should be protected from this attack.

BK, understand that I don't blame you for the content of the MS (technical) assertion, but seriously, how can this statement be conditionally true ?

Could it be, to match them subjunctive for subjunctive, a load of Marketing Dept. crap about a very serious matter ?

Posted by: GTexas | March 29, 2007 5:19 PM | Report abuse

GTexas,

Vista requires that you confirm software installations by pressing "OK" on a special screen that's hard to mimic by software (the rest of the screen goes grey). You can ramp up security even more by requiring the user to enter the admin password. This would be similar to what should happen if you tried to install a program with a limited account in Windows XP- but in that case it should just fail (not prompt for password).

However, I was shocked when I recently tried to install Firefox under a limited Windows XP Pro account and it installed fine! I couldn't install it to the Program Files directory, but I could install it to My Documents. I think that program is just packaged differently, and installing it is just like unzipping it. But a limited account is undoubtedly safer than admin account, it just doesn't block all types of software installation.

Posted by: michael | March 29, 2007 6:10 PM | Report abuse

Could it be the source of these emails I got today? My machine is fully patched using today's Symantec def's, and we have Antigen on exchange, yet some spam was received 3 times with an image and link to here: (edited)
http:
//cyberbutt[dot]com/IE7.0.exe

Posted by: Superfreak | March 29, 2007 6:40 PM | Report abuse

michael: Do you have XP Home or Professional? Is your filesystem FAT or NTFS? It makes a difference as to how effective a limited-user account is.

Posted by: paranoid | March 29, 2007 8:37 PM | Report abuse

yet another reason to eschew Microsoft and the usual PC nonsense altogether. Mac OS X + Firefox = a better way!

happy surfing!

Posted by: synergykyd | March 29, 2007 9:34 PM | Report abuse

For the more experienced, gentoo linux, or freebsd is the way to go. For others there is ubuntu.
It absolutelly makes no sense to buy vista, at these prices, with the same problems every single windows had before. I will eventually stop selling windows computers, and teach people how to use linux. Its the better way. I find macs to be too expensive, but they are still a much better way to stay connected.

Posted by: Viktor | March 29, 2007 10:11 PM | Report abuse

Every time (and it's often) that I see a story like this I wonder how much longer people are going to put up with MS. I got feed up and went to Ubuntu Linux AND I'M LOVING IT. People, you have options to crappy MS software!

Posted by: Mike | March 29, 2007 10:13 PM | Report abuse

Just recently educated and taught myself how to install and setup Ubuntu distributions. Far cry from the older RH 7 days...

I can almost replace 98% my entire XP box at work and use Ubuntu exclusively; I have used Vista and I am not impressed.

We have been pushing away from MS apps all together, (eg. Explorer --> Firefox, Outlook ->>Thunderbird, etc..) If you are in a large environment, I would recommend Evolution email client.

For remote offices I give them a new PC or a thin client terminal to be used with Citrix. Recently, I have discovered that there are Linux versions that mimic what Citrix does and from what I have seen its sweet.

NO VISTA...NO OFFICE 2007

Posted by: DOUGman | March 29, 2007 11:09 PM | Report abuse

Sounds like a good way to sell more copies of Vista

Posted by: g888h8r | March 30, 2007 11:45 AM | Report abuse

There's an UNOFFICIAL (insert all caveats/disclaimers here) fix for this at the eEye website. In case the link is not permitted, just google eEye zero day patch.
No commericial interest, etc., just for user's info pending MS eventual release of a patch.
http://research.eeye.com/html/alerts/zeroday/20070328.html

Posted by: Tjohn | March 30, 2007 1:40 PM | Report abuse

Michael,

Thanks for the explanation. My point was that, if you own more than just a few computers, the MS *solution* - Buy Vista - just makes you angry.

Sounds like MS-IE7 "serves at the pleasure" of the MS-OS, if you'll excuse the expression, unlike Firefox and Opera, which work independently aside from Install/Uninstall(read: hire/fire). Gotta admire Microsoft's chutzpah, stealing innovative business methods from the Department of Justice!

Posted by: GTexas | March 30, 2007 11:44 PM | Report abuse

SANS has raised the INFOCON level to Yellow. They rarely move out of the green. Might want to keep an eye on their diary. http://isc.sans.org/

Posted by: David Taylor | April 1, 2007 9:19 AM | Report abuse

Microsoft announced at the MSRC blog that they are releasing a patch for this on Tuesday, April 3.

Posted by: Sue | April 1, 2007 11:20 PM | Report abuse

More on this issue available here:

http://infosecsellout.blogspot.com

DO NOT install the eEye patch it does not protect you.

Posted by: infosecsellout | April 2, 2007 12:22 AM | Report abuse

There is another unofficial patch put together by the folks at ZERT (Zero-Day Emergency Response Team), which (unlike the eEye patch) does actually block the exploit directly. The patch bulletin is available at:

http://zert.isotf.org/advisories/zert-2007-01.htm

There is a download link for the .zip archive containing the patch (source + binaries, 466KB) from that page. The bulletin also has a concise description of the vulnerability.

As Sue noted, MS plans to release a fix for this tomorrow. They have a note on it here:

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Finally, I have to add that I have been using Linux (Debian at first, now Ubuntu) on my personal machines for 4+ years now, and I miss Windows in the same sense that I miss the broken leg I had 20 years ago. :-)


Posted by: Rich Gibbs | April 2, 2007 11:55 AM | Report abuse

So I finally updated to ie7 for my back up browser in case I need to use it instead of Firefox. Now I doubt I will ever really abandon Microsoft for most applications but ie is really treading on thin ice for me.

Posted by: Michaeld | April 2, 2007 12:46 PM | Report abuse

Microsoft's advice is misguiding. IE7 does not protect or prevent exploitation. The bug is not even related to the web browser, it is in USER32.DLL a Windows component used by many different subsystems of the OS. The web browser is just but one of all the possible attack vectors.

Posted by: ivan | April 3, 2007 8:46 AM | Report abuse

I'm amazed how much loyalty there is for Windows. To me Vista's performance (given the level of hardware it needs) is not impressive. Frankly I don't think MS deserve the level of loyalty that they get.

For frustrated windows users out there .. I urge you to look at any one of the many excellent Linux distros available to you ... I think you'll be very pleasantly surprised at how user friendly they are now, and you can test drive them as a live CD.

My choice is Xandros, but there are so many free distros you may want to look at Ubuntu, PCLinuxOS, Mepis .. any one of them will be a better choice than going through this nonsence time after time.

For those of you determined to stay the Windows route ... I truly wish you luck, I'm afraid you're going to need it.

Posted by: linux user | April 5, 2007 9:06 AM | Report abuse

Too many buzz for so small issue. Install any sandbox HIPS solution and forget about malware penetration and Internet-related threats forever.

Posted by: Ilya Rabinovich | April 5, 2007 3:49 PM | Report abuse

quote:

"Too many buzz for so small issue. Install any sandbox HIPS solution and forget about malware penetration and Internet-related threats forever."

While those of us with IT/IS experience may know what you are talking about, the garden-variety Windows user would be absolutely lost after the word sandbox. The simple fact is that most users don't even know how to use Windows Firewall and they think that their anti-virus software (which is not up-to-date about 80% of the time) will prevent spyware and other threats. I used to be a hardcore MS user - ever since NT - and I was a Network Admin for a large school district, but no more MS BS for me. As long as Microsoft insists on continuing to supply buggy and insecure software I will not use them. Vista is somewhat of a step in a better direction, but the hardware requirements for the Aero interface prove how bloated and memory-hungry the OS is, not to mention the fact that unless Vista is kept locked down it is still prone to the same problems as XP. I've used Linux and loved it, but the average home user will have issues with that as well. Most people just aren't tech-savvy enough to deal with drivers and compatible hardware - they just want it to work when they use it. I took a job as a technician for a recording studio where OS X is used exclusively and couldn't be happier dealing with it. MUCH more stable than Windows - not saying it's flawless - but I can recommend it to most people that ask about what to buy for home use. Now before you MS slaves start with that "fanboy" crap: I have a home-built Intel P4HT desktop machine at home with multiple hard drives - one has OS X 10.4.8 (see InsanelyMac.com), one has Vista beta, one has XP Pro SP2 - but I only boot off OS X. Why? Simple - I never have to worry about spyware or viruses or security exploits to the degree I did with Windows. For the average home user who wants to burn cds, import photos from their camera, surf the internet, edit home movies, etc. a Mac would do all this with far less problems than a PC. Generally, you don't need driver CDs, not to mention no real worries about spyware, etc. Even the laptop that I'm writing this on is a PC running OS X and it works better as a Mac than it ever did as a PC. Yes, you have to learn a different OS, and yes, Mac systems are more expensive than the $599 after-the-rebates equivalent system that you can buy at Wal-Mart, but the simple fast is you get what you pay for and learning OS X is simple enough for a child. I'll take that quality any day of the week over a low price because when your $600 system gets loaded up with all sorts of spyware and viruses and Geek Squad removes them for the low, low price of $300 (and wrecks your system in the process), I'll still be surfing and burning and downloading just fine! :)

PSST... You could've used that $900 to buy a top-shelf Mac Mini with upgrades and you would still have enough left over to buy a case of beer or two.

Posted by: synergykyd | April 5, 2007 7:04 PM | Report abuse

"While those of us with IT/IS experience may know what you are talking about, the garden-variety Windows user would be absolutely lost after the word sandbox."

Yup, that is true. But the fact is that 8-10 years ago users have no idea about "firewall" word. Nowdays, many of them still doesn't know what is it and why they are using it, but they are... And the world become a little safer. Same with sandbox HIPS- it is the question of PR and time. And, even if users have no idea what is it and why they are using it, this world will be much safer if they start using those technologies as they are using frewalls and anti-viruses right now.

As about Apple software- well, there is no invulnerable software, there is world low-spreded one. Just remember FireFox- there have been found a huge number of vulnerabilities inside (some of them were critical) when it become any world-noticable...

Posted by: Ilya Rabinovich | April 6, 2007 6:52 AM | Report abuse

"I've used Linux and loved it, but the average home user will have issues with that as well. Most people just aren't tech-savvy enough to deal with drivers and compatible hardware - they just want it to work when they use it."

Luckily most Linux distros seem to have overcome that hurdle ... Xandros, Ubuntu, PCLinuxOS, Mepis and a host of others seems to simply install on most PCs with no full or bother. Certainly easier than XP.

Posted by: linux user | April 6, 2007 9:19 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company