[ISN] Microsoft Patches Fail To Fix Dangerous Security Flaw

From: InfoSec News (isn@private)
Date: Wed Jan 14 2004 - 03:54:12 PST

  • Next message: InfoSec News: "[ISN] Security 2004: How it will shape up"

    Forwarded from: William Knowles <wk@private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A13587-2004Jan13.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    January 13, 2004
    
    Microsoft Corp.'s latest round of software patches fails to fix a flaw 
    in its Internet Explorer Web browser that makes it easier for online 
    criminals to dupe people into disclosing their credit card numbers, 
    passwords and other private data.
    
    Security experts were hoping that the patches, which were released 
    today, would address the problem, but a Microsoft official said that 
    the company is still devising a fix.
    
    The flaw lets criminals control the information displayed in the 
    address bar of Explorer's browser window. It was most recently used to 
    trick people into visiting a forged version of the Citibank Web site. 
    Once there, users were prompted to share personal identification and 
    credit card account numbers. Citibank today warned people to steer 
    clear of an e-mail that links to the fake site.
    
    Security experts said that the flaw is easy to exploit.
    
    "I could teach any grade school kid how to do it," said Ken Dunham, 
    malicious code manager for Reston, Va.-based security company 
    iDefense. "I'm very concerned for the Internet public at large because 
    this is one of the most dangerous trends we've seen emerge."
    
    The scheme is gaining notoriety after criminals sent e-mails earlier 
    this month to customers of the PayPal online payment service and two 
    British financial institutions that linked to fake Web sites. Last 
    week, an e-mail scam tried to steal information from subscribers to 
    Earthlink, the nation's third-largest Internet service provider.
    
    "From a consumer standpoint, this is probably the most severe security 
    flaw I'm aware of right now," said Johannes Ullrich, chief technology 
    officer for the SANS Institute's Internet Storm Center, which tracks 
    online attacks.
    
    The false Web sites are the latest twist on "phishing scams," e-mails 
    that lure customers into divulging their personal and financial 
    information.
    
    Roughly 5 percent of people who are actual customers of a company 
    targeted by the bogus e-mails fall for the scams, said David Jevans, 
    senior vice president at Tumbleweed Communications in Redwood City, 
    Calif. Jevans also serves as chairman of the Anti-Phishing Working 
    Group, a group of banks and e-mail security companies that fight 
    phishing schemes.
    
    "This is a highly profitable venture for people because there is 10 
    times more money to be made in phishing scams than through regular 
    spamming," Jevans said.
    
    Experts called the Citibank ruse one of the most convincing. It began 
    with a Web-based e-mail bearing the bank's trademark design, colors 
    and logo. The message said that the company had suffered some problems 
    with its data storage due to fraud activity, and urged customers to 
    check their account balances.
    
    "Citibank notifies all it's [sic] customers in cases of high fraud or 
    criminal activity and asks you to check your account's balances. If 
    you suspect or have found any fraud activity on your account please 
    let us know by logging in at the link below," it said.
    
    Security experts said that by failing to issue a patch to fix the 
    problem, Microsoft is ignoring a serious problem.
    
    "I see this trick being used in the wild almost daily now, and they 
    definitely need to do something about it," said Ullrich.
    
    Vincent Weafer, senior director of anti-virus company Symantec 
    Security Response, said that the vulnerability also can be used to 
    spread "backdoor Trojans," programs that allow hackers to control a 
    victim's computer.
    
    Several viruses have used clever e-mails to fool consumers into 
    downloading Trojans disguised as critical security updates from 
    Microsoft. Using the Explorer flaw could trick users into believing 
    they are visiting Microsoft.com while they are downloading a Trojan 
    from a bogus site instead, Weafer said.
    
    "This vulnerability has all the ingredients needed for the propagation 
    of malicious code, and I absolutely believe it will eventually be used 
    for that purpose."
    
    A Microsoft spokesman said the company is working deliberately on 
    developing a patch to make sure it does not disable other features in 
    the Windows operating system or prevent users from visiting legitimate 
    Web sites.
    
    "An incomplete patch can almost be worse than no patch at all," said 
    Stephen Toulouse, security program manager with the Microsoft Security 
    Response Center.
    
    Today's batch of security updates is the third Microsoft has released 
    since it announced that it would issue them on a monthly basis. 
    Microsoft chief executive Steve Ballmer announced the change in early 
    October following criticism that the company is not doing enough to 
    protect Windows users. Microsoft said it made the changes to help ease 
    the burden on system administrators by making its patching process 
    more predictable.
    
    The three patches Microsoft released today involve programs and 
    vulnerabilities commonly found in corporate networks, not home user 
    systems. One vulnerable component, however, a Web database management 
    program known as "Microsoft Data Access Components" is shipped with 
    nearly all versions of Windows. Users can check which updates they 
    need to download at this Windows Update site.
    
    For a safe demonstration of the Microsoft IE vulnerability, click here 
    (this will only work for Internet Explorer users).
    
    For information on how to protect yourself against phishing scams in 
    general, check out the Federal Trade Commission Web site or 
    anti-phishing.org.
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 14 2004 - 06:43:30 PST