A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.
Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.
"They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."
This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.
Microsoft acknowledged the latest issue and said more fixes would be forthcoming.
"The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports."
The most recent flaw is not new--security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.
"Most exploits we are seeing developed today are composed of multiple vulnerabilities, (each one) bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."
Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.
Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.
Microsoft recommends that users go to the company's Protect Your PC site for the latest information.
IE is the only way you can use the Windows Update function to update a computer. How can we protect our PCs from the vulnerabilities, that Microsoft failed to fix before releasing any versions of Windows, without using a piece of software that is as big of a flaw that could have ever been made? Makes no sense to me. Mozilla is a stable browser and would love to be able to convert completely to it, but yet I can't because I have to use the security flaw proned IE to update my machine. Have been toying with the idea of switching to Linux 100%.
While experts may be recommending changing browsers, for some of us, it's just not an option. If you're blind, Internet Explorer is the only browser that works well with our speech software. I really wish somebody else would develop a browser and work with manufacturers of assistive technology to make it functional for us. I've had people recommend I drop IE, but I'd pretty much have to drop the Internet.
Brad (from <a href="http://home.earthlink.net/~sendmyfriend"> Send My Friend to College</a>
Linux has a lot of features to make the software available to the handicapped. I don't know how well they work though.
A client stopped by today with a M$XP computer trashed by virii. I tried to talk him into Linux, but he insisted that he HAD to run a certain game that had not yet been ported to Linux. I guess it runs OK on a M$ virii trashed computer!
Nevertheless, I have installed a dozen Linux Fedora Core 2 distributions over the last week at my Superwhamadyne Cyber Cafe.
I'm using Windows XP and I get tons of popups. I switched the Opera and don't even close to as many cookies, spyware, and popups as I did when I had Internet Explorer. I find that most of the time webpages give me popups and misleading virus alerts. I hope that MIcrosoft comes out with a new browser.
I'm using Windows XP and I get tons of popups. I switched to Opera and I don't even get close to as many cookies, spyware, and popups as I did when I had Internet Explorer. I find that most of the time webpages give me popups and misleading virus alerts. I hope that MIcrosoft comes out with a new browser.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
George Lucas has just released his version of "Star Wars" in 3D, but c'mon--the guy believes Greedo shot first. Why not make your own Star Wars world? In the first installment of a Crave series, a crack team of crafters fight the power and turn paper bags into the Rebel Alliance's Admiral Ackbar. It's a sack!
Brad (from <a href="http://home.earthlink.net/~sendmyfriend"> Send My Friend to College</a>
A client stopped by today with a M$XP computer trashed by virii. I tried to talk him into Linux, but he insisted that he HAD to run a certain game that had not yet been ported to Linux. I guess it runs OK on a M$ virii trashed computer!
Nevertheless, I have installed a dozen Linux Fedora Core 2 distributions over the last week at my Superwhamadyne Cyber Cafe.