Microsoft posts work-around for IE flaw

Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response center.

"It is a permanent change, but it is an interim step--we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."

The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas e-mail address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.

Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.

This particular vulnerability has been known about for more than 9 months, said David Endler, director of incident response for security company Tipping Point.

"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.

Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, that should be out later this summer.

[Pete Bardo]

Are you sure?

I find absolutely no reference to ADODB.screen anywhere on MSDN. Could it be the object is ADODB.stream? It makes sense.

[wrwjpn]

What took so long?

This was a known hole in a previous version of IE and then fixed but only to reappear again. They knew how to fix before, YET, it took MS 9 months to release a patch and then tell us it is only for the interm.

Well, I think it is time to use an alternative browser and if a site doesn't work with it then I won't visit the site.

If it is a bank that only supports IE then I won't bank their because that tells me security and my privacy aren't important to them. These banks know that IE is swiss cheese and yet they still require customers to use IE to do their online banking.

At least I know my money in the mattress is safe than at the bank relying on all of MS for their system and applications.

[John Kuzak]

only supports IE

http://www.analogstereo.com/lexus_owners_manual.htm

Why Would You Even?

I don't know why anyone would use IE. It's just about useless.
You can't have tabbed browsing, no buit in pop up blocker oh,
and it's not safe at all. If you don't know where to get Mozilla
Firefox (which is the best one) just go to www.mozilla.org. Don't
use IE.