Network News

X My Profile
View More Activity

Microsoft: Big Security Hole in All IE Versions

On Wednesday, Security Fix warned readers about a newly-discovered security hole in Internet Explorer 7. I'm posting this again because Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.

The SANS Internet Storm Center reports that hackers are breaking into legitimate Web sites and uploading code that could install data-stealing software on the machine of a user who visits the site using Internet Explorer. SANS's chief technology officer Johannes Ullrich estimates that thousands of sites have been seeded with this exploit to date.

For example, Web security firm Websense reports that hackers have compromised the Chinese Web site for ABIT, the maker of motherboards that power many home computers. So far, the exploits appear to be only stealing online gaming credentials, but SANS and others warn that attackers will likely use this exploit more deftly in the coming days and weeks.

According to Microsoft's revised security advisory, this flaw is present in every version of IE in use today, from IE5 all the way through to IE8 Beta 2.

Microsoft's advisory includes a host of recommendations for mitigating the threat from this vulnerability. Some of the company's suggestions did not work when I tried them on my Windows Vista system, or did not work without some tweaking that was not mentioned in the advisory.

For instance, Microsoft recommends enabling a feature called "data execution prevention," by clicking "Tools," "Internet Options," then "Advanced," and then checking the box next to that option. However, when I tried to make the changes in IE7 on Vista, I found that option grayed out. To make that change, I had to close out of IE completely, then right click on the IE icon, select "Run as Administrator," and then alter the setting.

Microsoft also suggests shifting IE's Internet and local Intranet security settings to "high." No problems changing that per Microsoft's instructions, except that few sites will load properly in IE because changing that setting disables active scripting, a feature that many Web sites use.

In addition, Microsoft says users can mitigate the threat from this flaw by de-registering the vulnerable component, a system file called "oledb32.dll". To do this, users need to run the Windows command prompt as administrator (to open a command prompt, click "Start" then Run, then type "cmd.exe"), and type or cut-and-paste the following command:

Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"

This generated an error message on my Windows Vista machine, complaining that the action could not be performed. The command worked fine on my Windows XP system.

I would advise Windows users to consider browsing the Web with anything other than Internet Explorer, at least until Microsoft issues a patch to fix this vulnerability. It is not my intention to over-hype the situation, but as we have seen time and again, attackers are usually very quick to take advantage of flaws in IE because the program is the default browser for close to 80 percent of the planet.

And don't count on your anti-virus program to save you from these types of attacks. A scan of the exploit being served up by several of the hacked sites produced atrocious results: reported that only four out of the 32 anti-virus programs it used to scan the malware detected it as malicious or suspicious.

By Brian Krebs  |  December 12, 2008; 3:22 PM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Who's Tracking You?
Next: Apple Patches 21 Security Flaws


I had a problem with the Regsvr32.exe command in XP SP3, but I solved it by running it _before_ I disabled oledb32.dll, then I disabled oledb32.dll. (Also, I had to switch to Opera to post this.) FWIW.

Posted by: igorok | December 12, 2008 7:53 PM | Report abuse

Typo in the command. Should be

Regsvr32.exe /u "c:\Program Files\Common Files\System\Ole DB\oledb32.dll"


Posted by: fi85511 | December 12, 2008 8:54 PM | Report abuse

@Nick: Thanks for that. I will investigate, but if it's a typo, it's a typo that's in Microsoft's security advisory: I cut and pasted that straight from their advisory.

Posted by: Brian Krebs | December 12, 2008 9:26 PM | Report abuse

Hi Brian,

I don't see the "data execution prevention" in IE8's Advanced options. It is under "Security" in IE8? I do have a DEP setting "on" in XP though (Start > Control Panel > System > Advanced > Performance). Is this the same? I have been getting DEP warning but this has happened since installing IE8 Beta 2 when it came out.

Posted by: roman78 | December 12, 2008 10:02 PM | Report abuse

Sorry. Make that Start > COntrol Panel > System and Performance > System > Advanced > Performance > Settings > Data Execution Prevention. I have the top setting on.

Posted by: roman78 | December 12, 2008 10:04 PM | Report abuse

Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"

is listed on the advisory. The '%' symbols denote a variable, so it will fill in the appropriate drive letter if you don't use C:.

Posted by: bmac4 | December 12, 2008 10:51 PM | Report abuse

That using other browsers is recomended is a bold-step in an often pro-Windows column. Nonetheless, today's essay might have mentioned Apple and Linux as generally safer options than Microsoft.

Posted by: TeresaBinstock | December 13, 2008 7:55 AM | Report abuse

OK, I just ran the command "Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll". and got a success message. Do I need to do run the command each time I turn on the computer and I not, how do I turn it back on once the patch is issued?

Posted by: Matthew617 | December 13, 2008 9:02 AM | Report abuse

Oh, btw I have Vista

Posted by: Matthew617 | December 13, 2008 9:02 AM | Report abuse

@Matthew -- To undo the changes, simply leave off the "/u" in the command:

Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"

Posted by: Brian Krebs | December 13, 2008 10:03 AM | Report abuse

@Teresa -- You say Security Fix is a "pro Windows" column? I'd love to hear your specific thoughts on how you came to that conclusion.

Posted by: Brian Krebs | December 13, 2008 10:33 AM | Report abuse

"...except that few sites will now load properly in IE because..."

Should this read, "not load"?

Posted by: boredbybaseball | December 13, 2008 11:35 AM | Report abuse

Brain-- thanks! Do you know when Microsoft will have the patch?

Posted by: Matthew617 | December 13, 2008 12:44 PM | Report abuse

Teresa B, I've just got to add 2 more thoughts to BK's defense:

First, this reporter has always done a pretty good job of not taking sides in which OS is better than others. If anything, Kreb's page is anti-internet explorer.

Second, the point of this particular column is to advise IE users on what to do in the short term. Switching browsers or following the MS advisory are obvious answers. Switching operating systems because of a browser problem (as you seem to suggest) is beyond overkill. Not to mention the fact that most people can't exactly stop on a dime and switch their OS.

Posted by: Booyah5000 | December 13, 2008 5:46 PM | Report abuse

DEP can be done through dos. In vista, right click the cmd icon>run as admin>paste the following command:
bcdedit.exe /set {current} nx AlwaysOn. I turned it off but recently re-enabled it. Thanks Brian.


Posted by: Ron-B | December 13, 2008 9:04 PM | Report abuse

Symantec Antivirus 10 detects a Bloodhound.Exploit.219 when I try to visit that Abit website with IE6/Win2k3 Std. Unable to tell whether the system has been compromised.

It's all sandboxed in VPC2007 anyway.

Posted by: darthboy | December 14, 2008 11:33 AM | Report abuse


I have my defaults set to 'download updates but do not install until I see what they are'

Nevertheless, often when I shut down my XP Pro, I then get advised that updates are being installed anyway.


Also, since I have now installed wireless keyboard, when the computer is put in the 'sleep mode,' the on light on my computer remains on. With a wired keyboard, that did not happen.


Posted by: | December 15, 2008 5:49 AM | Report abuse

Similar to roman78, I also did not have the check box for DEP in IE7 on Windows XP. I also had to go through Control Panel.

Posted by: reswob | December 15, 2008 12:07 PM | Report abuse

Just wanted to let everyone know that SonicWall seems to be on the ball. My network is behind a TZ180 running OSEnhanced and the Gateway Antivirus is enabled for http (and all others). I tried to visit the chineese Abit site and was denied access to the site by the SonicWall Gateway Antivirus reporting and Exploit.

Also, as I was typing this, I tested the site from outside the firewall and Symantec Endpoint 11 Intrusion Prevention picked up on the attack reporting "HTTP MSIE Malfomed XML BO detected. Traffic has been blocked from this application: C:\Program Files\Internet Exploere\iexplore.exe" and the Active Response stated: "Traffic from IP address **** is blocked."

Obivously the hole still exists in IE, and many anti-virus solutions are reported to not pick up on the zero-day exploit attacks, but it's good to know that my LAN is protected.

Posted by: djmentat | December 15, 2008 12:34 PM | Report abuse

After following this path: Start > Control Panel > System and Performance > System > Advanced > Performance > Settings > Data Execution Prevention.

this is what I found:

"Your computer's process does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks."

I, XP Home, SP3, did not find DEP looking under the Internet Options listed on IE7.
I guess I will also "de-register" the vulnerable component, just to be sure.

Too bad we are 'required' to keep IE on our systems.

Posted by: ummhuh1 | December 15, 2008 3:15 PM | Report abuse

Thanks, Brian. The fix, as you entered it, ran successfully for me.

Posted by: pakrat8 | December 16, 2008 11:11 AM | Report abuse

Lovely, just one more reason I use FireFox instead!

Posted by: clermontpc | December 16, 2008 3:32 PM | Report abuse

As a writer for technology -- I must say, you probably don't even care to research any given instructions - like those from MS.

I feel sorry for you dude! Not even sure why you should be writing for this column. You don't have any business giving some workarounds if you don't even try to understand it yourself.

Posted by: pbraquel | December 17, 2008 11:31 AM | Report abuse

I am sure glad that I use Linux Ubuntu 8.10 on my notebook PC and my browser of choice is Firefox.

Posted by: jkohler217 | December 17, 2008 3:52 PM | Report abuse

Posted by: mpdooley | December 18, 2008 9:11 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company