[ISN] Hackers jump through holes in Microsoft patch

From: InfoSec News (isnat_private)
Date: Tue Sep 09 2003 - 01:15:17 PDT

  • Next message: InfoSec News: "[ISN] HiverCon 2003 Earlybird Registration - Last Week"

    Forwarded from: William Knowles <wkat_private>
    By Paul Roberts
    IDG News Service
    Security experts are warning Microsoft customers about silent Internet
    attacks that exploit a security flaw in the Internet Explorer Web
    browser, potentially allowing remote attackers to run malicious code
    on vulnerable machines.
    The vulnerability is similar in scope to those exploited by
    devastating worms such as Nimda, Badtrans and Klez, according to one
    security company. And, to make matters worse, the flaw is one
    Microsoft said it fixed weeks ago.
    The security hole, known as the "Object Data vulnerability," affects
    Internet Explorer (IE) versions 5.01, 5.5 and 6.0. It concerns the way
    that IE processes HTML pages containing a special element called the
    Object Data tag. If properly exploited, the vulnerability could enable
    an attacker to place a malicious computer program on a user's machine.  
    No user actions would be required aside from opening an e-mail message
    or visiting a Web page containing the attack.
    On Aug.20, Microsoft released a patch for IE, MS03--032, that it said
    closed the hole, in addition to patching other security holes in IE.
    According to a message posted to a prominent security discussion group
    Sunday, however, the vulnerability still exists on machines using IE
    even after applying the patch.
    That message, posted by an individual using the name
    "http-equivat_private," contained sample code that showed IE is still
    vulnerable to attack using the vulnerability from HTML pages that are
    created dynamically using computer script, like JavaScript, embedded
    in Web pages or e-mail messages.
    A Microsoft spokesman confirmed that the company is investigating the
    reports of new exploits for one of the vulnerabilities addressed in
    the MS03-032 security bulletin.
    However, Microsoft still recommends that customers install that patch,
    he said.
    The software giant is not aware of any customers who have been
    attacked using the vulnerability, he said.
    However, security researchers know of at least one exploitation of the
    Object Data vulnerability that is already circulating on the Internet,
    according to a statement by security company Secunia of Copenhagen,
    An e-mail message that contains HTML code that exploits the
    vulnerability is used to silently retrieve and run a file, "drg.exe,"  
    that installs a file called "surferbar.dll" onto the victim's
    computer, according to the Secunia alert.
    That file adds a new bar to the affected users' Internet Explorer Web
    browser with links to pornographic Web sites, the company said.
    The Object Data vulnerability is also similar to an earlier IE
    security hole dating to 2001, MS01-020, that was exploited by virulent
    e-mail worms such as Nimda and Klez, according to Secunia.
    Security experts familiar with the issue say that Microsoft's failure
    to thoroughly test their patch against attack scenarios using the
    Object Data vulnerability is a black eye for the company.
    "Microsoft should be ashamed. This is a major embarrassment," said
    Richard Smith, an independent security analyst based in Boston.
    The problem with the Object Data vulnerability is similar to a hole
    found in a prior Microsoft patch, according to Israeli security
    company GreyMagic Software, which issued a report on the problem in
    Feb. 2002.
    That fact points to problems with Microsoft's patch testing process,
    Smith said.
    "They need to go back and look at how this slip-up occurred. They keep
    saying they can't prevent bugs, but when the same problems keep
    occurring over and over, that's a management issue," he said.
    A Microsoft spokesman said the company is committed to keeping
    customers data safe and will take "appropriate action" to protect
    customers when its investigation into the new exploits is complete.
    In the absence of a patch from Microsoft to fix the problem, security
    experts recommended disabling support for Active Scripting on affected
    IE versions. Failing that, users should consider uninstalling the
    popular browser to protect themselves from attack, experts said.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 09 2003 - 03:55:06 PDT