http://www.atnewyork.com/news/article.php/3288141 December 11, 2003 By Ryan Naraine On the heels of an announcement from Microsoft (Quote, Chart) that it won't be issuing December security patches under the new monthly release cycle, a security researcher has gone public with a new Internet Explorer vulnerability that could be used by 'phishers' to perpetuate on line fraud. The latest IE flaw carries a 'moderately critical' rating and is the second major vulnerability in the world's most popular Web browser that remains unpatched. Late last month, Chinese researcher Liu Die Yu warned of five serious IE vulnerabilities that could be exploited to take over a vulnerable system. Yu's warning was released on several public mailing lists and carried a 'critical' warning that the flaws could lead to system access, exposure of sensitive information, cross site scripting and security bypass. The public release of proof-of-concept exploits before fixes are issued underscores the nightmares the software giant face in its all-out effort to improve its patch management process. A company spokesman told internetnews.com the internal investigations were ongoing regarding both IE flaw alerts and promised a patch would be issued at the appropriate time. Publicly, Microsoft isn't saying why it decided against releasing patches. On the TechNet repository, the company said simply that if the need arises for emergency patches, they will be issued outside the monthly releases. A company official told internetnews.com security fixes were in development but problems during the testing phase pushed back the release date. The source could not say if a cumulative patch for Internet Explorer was part of the tests and left the door open to an emergency release of an IE patch before the second Tuesday in January, the next scheduled release date. As Microsoft struggle to cope with the patch management headache, researchers say the latest IE flaw was detected in the way the browser displays URLs in the address bar. A test exploit [1] using the microsoft.com domain was made public, showing that a specially crafted URL can be used by an attacker to spoof a Web address. The spoofing technique is regularly used by scammers to trick unsuspecting surfers into give up sensitive information, including credit card and social security numbers. The URL spoofing flaw, which affects IE version 6.0, lets an attacker hide the real location of a Web page by including a special character and the "@" sign. "Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address bar, which is different from the actual location of the page," according to the alert. Separately, Jupiter Research analyst Joe Wilcox disclosed that a glitch in Microsoft's Windows Update detection process accounted for the issuance of the patch for the November FrontPage Server Extensions security vulnerability. Writing on the Microsoft Monitor Weblog, Wilcox said changed in Windows Update resulted in the patch being issued for systems that did not need it. "Unfortunately, I let Windows Update apply the patch to three of my computers. Now, the question is what problems, if any, that might cause for any computers to which the patch was applied," he said. He said the Windows Update glitch was another black eye against the Redmond, Wash.-based company. "[T]he larger problem is trust and execution. If the company truly plans to make the Windows Update process better and, presumably, more automatic, the dispatched patches must always be the right ones. Consumers and smaller businesses would need to be able to trust that the process will always be flawless. A wrong patch could create big problems if put on the wrong version of Windows or application. Larger businesses would want to test patches anyway," Wilcox argued. * Editor's Note: internetnews.com and Jupiter Research shares the same parent company. [1] http://www.zapthedingbat.com/security/ex01/vun1.htm - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Dec 12 2003 - 03:54:29 PST