Network News

X My Profile
View More Activity

Microsoft Issues Emergency Patch to Curb Password-Stealing Hackers

Microsoft today issued an emergency update to plug a critical security hole present in all versions of its Internet Explorer Web browser, a flaw that hackers have been leveraging to steal data from millions of Windows users.

The patch, which Microsoft dubbed MS08-078, fixes a security vulnerability that Microsoft says already has been used to attack more than 2 million Windows users.

As Security Fix and other members of the tech community have chronicled, attackers have been busy compromising thousands of Web sites by seeding them with code that installs password-stealing software on computer systems of Web site visitors who use Internet Explorer. Microsoft estimated Monday that one in every 500 Windows users had been exposed to sites that try to exploit the flaw. Additionally, it said the number of victims was increasing at a rate of 50 percent daily.

Vulnerability management company nCircle said Microsoft's decision to issue the patch outside of its normal Patch Tuesday (second Tuesday of each month) cycle is wise, given the current exploitation of the flaw and because instructions for exploiting the flaw are now available online.

"Given the ongoing attacks for this bug and because the technical details have been available to the public for over a week, this is clearly a high risk client side vulnerability that everyone should patch now," said Andrew Storms, director of security for nCircle.

This is an urgent update. If you use Windows, apply this patch now. Windows users can download the fix at Windows Update, or by enabling Automatic Updates.

By Brian Krebs  |  December 17, 2008; 2:32 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: CheckFree.com Hijack May Have Affected 160,000 Users
Next: Firefox 2 Users Will Get No More Security Updates

Comments

This is like the boy who cried wolf. How many emergency patches can any one company issue in one year? Maybe it is time for Microsoft to admit it's browser is completely flawed and build a new one from scratch.

Posted by: RickJohnson621 | December 17, 2008 4:30 PM | Report abuse

Hey RickJohnson621, it's understandable that Microsoft needs to issue so many patches. It's not that IE is a poor product, it's that it's the most popular browser in use and is under constant attack by very intelligent criminals. Can you build a better browser?

Posted by: davidwg35 | December 18, 2008 8:11 AM | Report abuse

Of course there are better browsers: Opera, Firefox, Camino, Mozilla, to name a few. They're not perfect but they're not riddled with security flaws. Smart people don't use IE: they use a browser that has a chance of operating securely.

Posted by: jpk1 | December 18, 2008 10:56 AM | Report abuse

Mr. Krebs, will the patch, which has been subsequently downloaded, protect and/or disable the prior existing malware? If not, how do you kow if your system has been affected and what do you recommend for remediation? Thank you in advance.

Posted by: MLIP | December 18, 2008 12:55 PM | Report abuse

How about putting some of the blame on the Web site owners who don't patch their servers? The article indicates "... attackers have been busy compromising thousands of Web sites by seeding them with code that installs password-stealing software..." A majority of Web sites are running non-Microsoft web servers, so what about those companies? Aren't they issuing patches for their software? Or is it the administrators who don't know how to secure a web server?

Posted by: ginigma | December 18, 2008 5:04 PM | Report abuse

@ginigma -- I suspect there are patches or configuration best practices available for most of the Web site/application vulnerabilities being exploited in this attack. Most of it is being done through automated SQL injection attacks. So the Web site admins of course deserve some of the blame.

Posted by: BTKrebs | December 18, 2008 5:19 PM | Report abuse

@jpk1, unfortunately, that´s not correct. It really is about the fact that IE is so widely used and therefore the target of criminals that these security flaws get exploited. Those other browsers are just as riddled with security flaws as IE. Of course, it doesn´t get the press coverage that IE does because those other browsers don´t have nearly the userbase that IE does.

Just recently several critical security flaws have been fixed in FF.

http://www.hackinthebox.org/index.php?name=News&file=article&sid=29285

http://www.theinquirer.net/inquirer/news/082/1050082/firefox-fixes-eight-security-flaws

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

Posted by: CharlesLD | December 18, 2008 11:47 PM | Report abuse

PS - make sure to patch your alternative browsers frequently, don´t rely on security through obscurity or the false notion that they don´t contain security holes.

Posted by: CharlesLD | December 18, 2008 11:49 PM | Report abuse

Brian, et al...

I have both XP and Vista-based machines running at home. I've attempted to update all the instances of IE (even though I use FF by default). On the XP machines, I now show version 7.0.5730.13, but the on the Vista machine IE shows version 7.0.16000, even though MS update reports it's up to date. Secunia Scanner shows IE is insecure, but I can find no way to update it on the Vista-based machine. suggestions?

Thanks.

Posted by: DredNotPikr | December 22, 2008 4:32 PM | Report abuse

This Windows xp patch has virtually destroyed my computer's performance (after taking half a day to install) and there appears to be no way to uninstall it. I'd rather take my chances with hackers than Microsoft. What can I do?

Posted by: hgrovercatearthlinknet | December 23, 2008 10:31 AM | Report abuse

Hello to hgrovercatearthlinknet, "What can I do?" Well, you could run Linux. Your computer will fly, you will be amazed and you would thank me, if you knew who I was. And don't let the IE apologists scare you, Firefox is fixed lickety-split.

Posted by: rajihammer | December 23, 2008 7:35 PM | Report abuse

@hgrovecaterarthlinknet: You should see my post on this before Microsoft issued this patch, which listed some interim workaround/steps that users could take to mitigate this threat.

http://voices.washingtonpost.com/securityfix/2008/12/microsoft_big_security_hole_in.html

Also see Microsoft's follow-up clarifications on suggested workarounds, if the patch is causing that much trouble:

http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx

You can uninstall almost all updates from Microsoft. This patch should be listed in Add/Remove Programs (you have to make sure the box next to "Show Updates" is checked). The patch you are looking for would have been installed on or around Dec. 18. It should be called:

Security Update for Microsoft Windows (KB960714)

Posted by: BTKrebs | December 23, 2008 11:42 PM | Report abuse

@DredNotpikr -- See my answer just posted about how to find this patch. In Vista, go to Control Panel, Programs and Features, and then to the left click Installed Updates. Look for a recently installed update with the KB960714 at the end of it. If you see that, the patch is installed.

Posted by: BTKrebs | December 23, 2008 11:43 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company