Security pros provide interim IE patch

A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyberattacks.

The group, which calls itself the Zeroday Emergency Response Team, or ZERT, created the patch so IE users can protect themselves while Microsoft works on an official fix

"Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch," ZERT spokesman Randy Abrams said Friday. Abrams is director of technical education at security company ESET and volunteers with ZERT.

The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message. Word of the vulnerability came earlier this week, when the weakness already was being exploited in cyberattacks.

"Attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. In many cases, the attacks install spyware, adware and remote control software on victims' PCs.

In at least one case, cybercriminals broke into a Web hosting company and redirected 500 Internet domains to point to a malicious site that exploits this latest flaw, Dunham said. "So you're just surfing the Web, and all of a sudden, you are redirected to a malicious Web site," he said.

Attacks that exploit the flaw via e-mail likely will surface soon, he added.

While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. "As a best practice, customers should obtain security updates and guidance from the original software vendor," a Microsoft representative said in a statement.

This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in Web pages.

ZERT is made up of security professionals from around the world who volunteer their time. The ZERT patch, available for Windows 2000, Windows XP and Windows Server 2003, was created in 19 hours, primarily by three experts: Joe Stewart of Lurhq, Israeli reverse-engineering specialist Gil Dabah, and vulnerability researcher Michael Hale Ligh, Abrams said.

Risk of third-party fixes
A word of caution is warranted when it comes to third-party fixes, ZERT noted. "There is a risk associated with a third-party patch because it hasn't gone through the extensive testing that Microsoft puts its patches through," Abrams said. ZERT does provide the source code of its fix, allowing people to validate what it does.

On its Web site, ZERT stresses that its fix has no warranties. "While ZERT tests these patches, they are not official patches with vendor support and are provided as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch," the group stated. The ZERT fix will be removed from the group's site once Microsoft has issued its update, the group said.

ZERT's patch may work well for some individual users or smaller organizations, iDefense's Dunham said. "Most small businesses are agile, but for larger organizations, applying a patch is a bigger hassle. A third-party patch introduces a wide variety of concerns and cost measures, and those can't be ignored," he said.

In addition to compatibility problems, third-party fixes could introduce security vulnerabilities, Dunham said. Microsoft provides several workarounds that do not require the third-party patch on its Web site. Dunham recommends using a workaround, but also said he expects Microsoft to rush out its patch before Oct. 10.

[roger.d.miller]

IE7 RC1

IE7 RC1 is not vulnerable and is readily available.

[Dalkorian]

options

Same can be said for FireFox. Plus, FF isn't made by the company
with the worst security record in all history and it's not perversely
integrated into the OS.

[Jim Hubbard]

Any proof of that?

According to http://www.osvdb.org/28946 you are wrong.

Who has tested the vulnerability in IE7?

I did not see any ecidence that IE7 was unaffected in the MS KB release.

[honeybear10042]

IE 7 with updates

Sorry but IE7 RC1 crashed my computer and it sucks big time, never thought I would see the day that I would have to DownLoad FireFox 2 to use the internet. Microsoft is lossing customers every day now to firefox and maybe it will teach them that they can't scew around with peoples computer's and etc. Dennis Miller

[Penguinisto]

Hmm... where are all the MSFT apologists today?

Funny you don't see any.

BTW - according to http://isc.sans.org, it ain't just porn sites getting smacked with this...

Ah well - maybe all the astroturfers are busy trying to reload Windows onto the freshly busted machines?

( as /me goes surfing on in Firefox on Linux... )

/P

[fc11]

Another way to workaround: Set Security to High

Set security to high and then enable file download. This vulnerabiltiy and most other IE vulnerabilties do not apply if you set security to high.

For any site you really want scripting to work, add it to intranet zone.

I used IE for 8 years with this practice and never had a problem. I viewed all sorts of sites and never had to worry.

[Trane Francks]

Danger! False assumption!

You're offering a dangerously false sense of security here. The problem isn't that files are surrepeticiously downloaded, the problem is that there is a buffer overflow exploit in a VML tag. Setting security to high means nothing in case the user is tricked into viewing VML code.

True workarounds for this exploit are as follows:

* Disable access to vgx.dll by either un-registering it or blocking access with file system access control lists

* Users of Windows XP SP2 should disable binary and script behaviors within Internet Explorer

* Read e-mail in plain text to protect against HTML-based variations of this exploit that may be created for e-mail distribution

I'm glad that for many years you didn't have to worry. If you're running IE6, you now have cause for concern.

[extinctone]

Another way to workaround: Set default browser to anything but Microsoft IE

C'mon people, how many times do you have to hear it? The single most effective defense against never-ending Internet threats is, do not use Microsoft products. All products are vulnerable, but all products combined do not have as many threat vectors as MS products alone.

[qwerty75]

sheesh

"he expects Microsoft to rush out its patch before Oct. 10."

How many weeks is that?

If this was a problem in Firefox it would have been fixed by now.

[suzo]

MS Defense.

Well, if you plan to attack somebody, why would you attack an OS or browser that less than 10% of users do use? If you think that FireFox is better check http://news.com.com/Firefox+update+patches+security+holes/2100-1002_3-6116267.html. Overall security exist in any product, MS products do get attack more because most of the people have them installed. Keep in mind that MS can not rush a patch. Doing a code fix may not take a long time but the overhead of releasing it takes much longer. You can not rush a patch since it can backfire with possible regressions or other problems. MS faces big challenges on terms of testing since as you may know most people write software on top of their products so most likely testing will take them longer. Just think on the different number of configurations that they have to test an IE patch... In terms of OS's WinXP SP2, WinXP SP1, Win2k SP4, Win2003 RTM win2003 SP1... In terms of internal MS products that use IE... office 2000, office 2002, Office 2003, Visio, Project... etc... what about making sure third party software still works correctly? Also, how many different ways does MS make this fix widely available? windows Update, Microsoft Update, Automatic Updates, Download from WEB. SMS, etc... I think MS is comitted, sometimes people overlook the time this work may take. I mean... is not just make a fix and ship it, that can be done by a third party company since they don't have to face the different consequences of not doing correctly...

[maxwis]

MS Made Problem Much Worse By Integration

Microsoft made the problem of IE security vulnerability and repair much worse by making the decision years ago to tightly integrate IE with the operating system. They did this to try and kill off competitors like Netscape. At the time the integration decision was made, many outside people correctly predicted that this would create an unhealthly linkage between the two. Today we see the result of this decision, which manifests in a complex, lengthly repair cycle to fix IE exploits. Last month we saw an example of the need for MS to release an IE patch to a patch because the first patch broke something. One argument in favor of using non-IE browsers is that when a security vulnerability is discovered it can be addressed more quickly because there is not the possibility that it will break the operating system or something else unrelated.

[qwerty75]

clueless

First of all no one said that FF is perfect. It has flaws but are fixed in days. MS waits months to fix anything, and almost always until after exploits are out and causing trouble. Part of this is due to the fact that MS stupidly tied IE to the OS. The main reason is incompetance. Firefox fixes BEFORE problems show up. If you can't see the difference, enjoy the fruits of your ignorance.

Firefox is decades ahead of IE6 and years ahead of IE7.

Your security through obscurity argument is completely without merit and shows you don't understand software. If your assertion was true, then Apache would be the most exploited web server on the market, since it owns the vast majority of the market share. It isn't the most exploited. Three guess which company makes the most exploited servers, yet are a small player.

MS products get exploited the most for one reason: it is the easist.

Products like Firefox, Linux, OSX, OpenOffice, ect get exploited the least for one reason: They have security built in from the ground up and are extremely difficult to exploit.

[bdurant]

THIS patch will RUIN your computer

Don't EVEN download it.... spyware!!!!

[CancerMan2]

Chief Ethics Officer Canned On Friday

HP's Chief Ethics Officer, Kevin T. Hunsaker was canned on Friday. According to the story below he made specific requests that the investigator obtain personal telephone records. Sounds like a great guy. I am sure he will quickly be snapped up by Big Oil, just like Richard Armitage (Plamegate) who now sits on the board of ConcocoPhilips. Crime does pay, if it's bigtime crime.

http://www.theage.com.au/news/Technology/HPs-ethics-chief-pointed-investigator-toward-directors-suspectedof-leaking-email-shows/2006/09/23/1158431932837.html

[CancerMan2]

Oops, Posted In The Wrong Section

Meant to post re: the HP story

[wbenton]

Common Sense 101

This article proves several things:

#1. Security Pros are capable of coming out with a patch quicker than Microsoft proving that Microsoft is DEFINATELY NOT A SECURITY PRO!!!

#2. Microsoft feels that they can postpone their patch until their regularly released Oct 10th patching time-frame when the rest of the security world follows the guidelines of 24-hours to fix Critical flaws and 72-hours to fix non-critical flaws... not like Microsoft whom feels that Critical flaws can be delayed at least 21 days!

#3. That IE is not worth the disk space it resides on... and at todays disk space prices... that ain't much at all.

#4. If nobody used IE... such a flaw wouldn't mean a hill of beans!!!

#5. Microsoft's stance towards stronger security doesn't mean a hill of beans either.

#6. If you want to be hacked over and over and over again... continue using IE.

Walt

[Hardrada]

thanks - now get back to work making coffee

oh, and btw, interesting that you'd cite a CNET article as 'proof' of anything.

Here's how I see it -
IE is free and Microsoft pretty much maintains it for me, so I use it.
A bunch of folks trying to make a name for themselves and look smart have decided to try and beat Microsoft to the punch in the hope of looking good while embarassing Microsoft, casting themselves as heroes who stepped in when Microsoft just couldn't deliver.
A bunch of folks in this forum are trying to demonstrate how clever and irreverant they are by using Firefox and Linux.

Your computer is a tool that helps you get things done. Run linux and all those things will take longer. Buy a Mac and you become the tool.

[wbenton]

Microsoft's Workaround

One of Microsoft's workarounds says to turn off Active-X.

But if you turn off Active-X, you won't be able to automatically update their up and coming patch when ever it is due. (* LOL *)

Seems like Microsoft is walking all over their own two feet on this one. (* GRIN *)

At least the Security Pros are on their toes!!!

Walt