A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.
An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.
Michael Howard, a security program manager at Microsoft, explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys.
Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls.
Development tools like Microsoft's own Visual Studio use the same library of code, known as Active Template Library (ATL). On the same day it released the emergency patch for IE, the company also released a Visual Studio fix.
Howard said the typo would have been difficult to spot in a review of the code, and that none of Microsoft's code analysis methods would have uncovered it either.
In his blog, Howard played a high-tech version of "Where's Waldo?" by challenging readers to find the typo amid a few short lines of code, even hinting that it was a single character.
The code lines he listed were:
__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);
And his riddle for readers:
"I'll give you one more clue - it's a one character typo. Give up? Look at the last line. The first argument is incorrect. It should be: hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);"
The hole was originally uncovered earlier this month by a pair of German researchers. Thomas Dullien (also known as Halvar Flake), CEO of Zynamics GmbH, and his friend Dennis Elser detailed their discovery in a blog. After the exploit became known, the two did some digging into the code and found the unwanted "&" character.
So what will Microsoft do to guard against future typos?
In his blog, Howard acknowledged the need to clean up the company's coding process. He said that Microsoft will update the tools it uses to find these types of errors. The company will also require its programmers to use the newer ATL code. In the past, Microsoft never told its programmers what to use. But says Howard in his blog, "We're going to change that!"
Mozilla reported more vulnerabilities in its Firefox Web browser last year than Internet Explorer, Safari, and Opera combined, but Mozilla dealt with those flaws quicker than Microsoft, according to a new a report by vulnerability-testing company Secunia.
Firefox had 115 reported flaws in 2008, nearly four times as many as every other popular browser, and nearly twice as many as Microsoft and Apple combined, according to browser vulnerability research (PDF) released this week. In comparison, Microsoft reported 31 flaws in IE, Apple reported 32 in Safari, and Opera reported 30.
However, the report found that Mozilla was quicker to patch Firefox's flaws that were disclosed publicly without vendor notification compared with Microsoft. These "zero day" vulnerability disclosures contain information that can be used by attackers to write exploits for the flaw. The longer it takes vendors to release an update that repairs the vulnerability, the longer users of the browser are at risk.
Secunia reports that Microsoft took longer to fix two more serious flaws than Mozilla did with two less serious flaws.
(Credit: Secunia)Secunia reported six incidences in which Microsoft was publicly notified of browser vulnerabilities, two of which the security company labeled as "high" or "moderate" in severity. Meanwhile, Mozilla experienced three such occurrences, all of which Secunia labeled as "less critical" or "not critical."
Microsoft took 110 days to issue patches for the two most serious flaws, while it took Mozilla an average of 43 days to address its three flaws, Secunia reported. One of the IE vulnerabilities remained open for 294 days in 2008, according to the report.
The revelation comes as Mozilla released an update Wednesday to Firefox, its second in about a month. Mozilla developers said the update fixes six critical vulnerabilities found in Firefox 3.0.6, the most serious of which could allow attackers to run arbitrary code on a victim's computer.
Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.
Microsoft released a critical security patch on Wednesday to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.
The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious Web site, or a legitimate Web site that has been infected.
This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users.
The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 6 Service Pack 1.
One flaw not addressed in yesterday's Patch Tuesday is a heap overflow within the XML parser reported on Wednesday by Bojan Zdrnja of the SANS Internet Storm Center.
The exploit in the wild on Wednesday creates an XML tag, then waits 6 seconds in an attempt to thwart antivirus engines. The exploit could then crash the browser and run malicious code when the browser is restarted. The user must be running Windows XP or Windows Server 2003, and using Internet Explorer 7.
Zdrnja writes that "at this point in time, it does not appear to be wildly used, but as the code is publicly available, we can expect that this will happen very soon."
A Microsoft representative said the company is "investigating new public claims of a possible vulnerability in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."
As for a workaround, Zdrnja suggests using a browser other than Internet Explorer. Microsoft says anyone who has been affected by this exploit can get help online or by calling the PC Safety hotline at 1-866-PCSAFETY.
Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.
Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.
Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."
To the short list of life's certainties--death and taxes--we can now add "Web threats."
Early indications are that there will be no quick fix for clickjacking, which enables a PC to be infected with malicious software simply by clicking a disguised link on a Web page. All browsers are equally vulnerable, and there appears to be no sure solution, at least in the short term. Even disabling JavaScript and other advanced Web features won't prevent an infection.
Does this mean you should cancel your broadband account and dig out the ham radio? I don't recommend it. In fact, reports such as these show the folly of believing that our Web browsing is ever completely safe. No hardware or software will ever be 100 percent secure.
Yes, keep your antivirus definitions up-to-date. Yes, use a firewall. Download and install Giorgio Maone's NoScript extension for Firefox (donation requested) to gain site-by-site control over the scripts that run in the browser.
But even these precautions are no substitute for common sense. Be careful about the sites you visit and the links you click. View your e-mail as plain text; Microsoft's support site provides instructions for doing so in Outlook 2003 and 2007. In Mozilla Thunderbird, simply click View, Message Body As, Plain Text.
Last, but definitely not least, every PC user must acknowledge that the day will dawn when their system crashes for good--whether due to a malware attack or (more likely) a hardware or software failure. Keep your data backed up. In addition to creating an image backup of your hard drive once or twice a year, using a program such as Acronis' $50 True Image Home (15-day free trial), use an online backup service to keep your important data files fresh.
Don't count Internet Explorer out just yet.
On Wednesday, Microsoft released the second public beta for Internet Explorer 8. If anything, this release brings IE up to par with alternative browsers such as Opera, Apple's Safari, and Mozilla's Firefox in terms of security and features. It also pushes Microsoft a little ahead of the competition.
The user interface hasn't changed much since Internet Explorer 8 Beta 1, except to add a Security pull-down menu between Page and Tools on the main toolbar. In addition to blocking phishing sites, IE 8 now highlights the main domain of any Web site you visit. Thus if you think you are on eBay's site and something other than ebay.com is highlighted, chances are you are on the wrong Web site.
IE 8 also contains a cross-site scripting filter, one of the first in a mainstream browser. Cross-site scripting allows an attacker to execute script on a user's browser without them knowing. When the IE 8 filter finds a Web page with a cross-site scripting request, it changes the content on the page with a notice. Users are not presented with an option; IE simply blocks the malicious script from executing and then displays the rest of the page.
In another feature, known as InPrivate, Microsoft allows the user to suspend caching functions while you surf. The scenarios for using InPrivate include when you're using someone else's computer, like for instance, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact. Apple Safari has offered this feature for a while, but Mozilla Firefox does not.
IE 8 Beta 1 has already introduced several behind-the-scenes security changes. For example, ActiveX components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from the site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
Also, IE 8 Beta 1 included Microsoft's own brand of malware protection. Earlier this year, Opera added Haute Secure malware protection, and Mozilla enhanced its Google and StopBadware malware protection in Firefox 3.
See also:
Internet Explorer 8 Beta 2 screenshots
Review: Internet Explorer 8 beta 2
Daily Debrief video: The newest IE 8
As CNET News first reported last week, Internet Explorer 8 will include a way to surf somewhat anonymously, allowing the user to suspend browsing history, cookies, and other identifying information. Mozilla had considered such a feature for its Firefox 3 release, but dropped it for technical reasons. Apple Safari also includes a similar feature.
Known as InPrivate, Microsoft is touting the feature as one of several security enhancements within its next major browser release. The scenarios for using InPrivate include when you're using someone else's computer, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact.
ZDNet columnist Mary Jo Foley calls InPrivate IE's "porn mode."
The IE development team at Microsoft has more details about InPrivate here. They've even produced a video.
InPrivate will be available in IE8 Beta 2, which is expected to be released sometime before the end of the month. Final release for the browser remains scheduled for November.
- prev
- 1
- next
